Extracting Windows command line details from physical memory

Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a...

Full description

Saved in:
Bibliographic Details
Published inDigital investigation Vol. 7; pp. S57 - S63
Main Authors Stevens, Richard M., Casey, Eoghan
Format Journal Article
LanguageEnglish
Published Kidlington Elsevier Ltd 01.08.2010
Elsevier Science Ltd
Subjects
Computer memory
Cybercrime
Forensic sciences
Windows operating system
Online AccessGet full text
ISSN1742-2876
1873-202X
1873-202X
DOI10.1016/j.diin.2010.05.008

Cover

More Information
Summary:Current memory forensic tools concentrate mainly on system-related information like processes and sockets. There is a need for more memory forensic techniques to extract user-entered data retained in various Microsoft Windows applications such as the Windows command prompt. The command history is a prime source of evidence in many intrusions and other computer crimes, revealing important details about an offender’s activities on the subject system. This paper dissects the data structures of the command prompt history and gives forensic practitioners a tool for reconstructing the Windows command history from a Windows XP memory capture. At the same time, this paper demonstrates a methodology that can be generalized to extract user-entered data on other versions of Windows.
Bibliography:SourceType-Scholarly Journals-1
ObjectType-Feature-1
content type line 14
ISSN:1742-2876
1873-202X
1873-202X
DOI:10.1016/j.diin.2010.05.008