Abstract—Over the past few years, memory analysis has been an issue that has been discussed in digital forensics. With the introduction of cloud computing, the analysis on memory has become critical as the hard disk is no longer the primary choice to store information and data on the computer system. The online storages with password protected such as ADrive, Dropbox and Google Cloud Storage are already available to all users. Hence, with the progress of development in this technology, the traditional approach (analysis on hard drive) has become obsolete in obtaining information from those applications. The aim of this paper is to present an algorithm that can be used to trace the processes of the memory image. The algorithm uses the signature search to find the possible process that is stored in the memory dump. Then, by the information in Parent ProcessID (PPID) and ProcessID (PID) the Process Block Tree is constructed. Further, the benchmarking test between Process Enumeration technique and this new algorithm is presented in this paper.

Index Terms—Algorithms, Information Retrieval, Memory Analysis, Signature Search.

K. A. Z. Ariffin is with the Digital Forensic Department, CyberSecurity Malaysia, Mines, Selangor, Malaysia (e-mail: akram@cybersecurity.my).
A. K. Mahmood and J. Jaafar are with the Computer Information Sciences Department, Universiti Teknologi Petronas, Perak, Malaysia (e-mail: kamilmh@petronas.com.my, jafreez@petronas.com.my).
S. Shamsuddin is with the Research Department, Cyber Security Malaysia, Mines, Selangor, Malaysia (e-mail: solahuddin@cybersecurity.my).

Cite:Khairul Akram Zainol Ariffin, Ahmad Kamil Mahmood, Jafreezal Jaafar, and Solahuddin Shamsuddin, "Object Signature Search for Capturing Processes Memory," International Journal of Computer and Communication Engineering vol. 2, no. 6, pp. 页码, 2013.