eprintid: 5527 rev_number: 2 eprint_status: archive userid: 1 dir: disk0/00/00/55/27 datestamp: 2023-11-09 16:17:16 lastmod: 2023-11-09 16:17:16 status_changed: 2023-11-09 16:03:05 type: conference_item metadata_visibility: show creators_name: Ariffin, K.A.Z. creators_name: Jaafar, J. creators_name: Mahmood, A.K. creators_name: Shamsuddin, S. title: Tracking file's metadata from computer memory analysis ispublished: pub keywords: Algorithms; Computer vision; Data handling; Digital storage; Electronic crime countermeasures; File organization; Information retrieval; Metadata; Search engines; Ubiquitous computing; Virtual addresses, Address translation; Computer memory; Digital forensic; File allocation tables; File systems; Memory analysis; Traditional approaches; Windows system, Computers note: cited By 2; Conference of 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Secure Computing, DASC 2015 and 13th IEEE International Conference on Pervasive Intelligence and Computing, PICom 2015 ; Conference Date: 26 October 2015 Through 28 October 2015; Conference Code:118896 abstract: With the advance in technology, the computer storage will become cheaper for the larger sizes. Previously, it allows the user to store more data at a lower cost. In context of digital forensic investigation, the traditional approach such as analysis on the hard disk will become inefficient in handling the huge data that is stored within it. The research on retrieving the open flies from computer memory only focused on tracking the Virtual Address Descriptor (VAD) and Object Table. Thus, only the active object's open flies can be retrieved from the computer memory. The aim of this paper is to present algorithms to track the metadata of file from the well-known file system for Windows system such as File Allocation Table (FAT) and New Technologies File System (NTFS). The algorithms encompass the signature search to retrieve the boot sector and then capture the metadata about the file from the computer memory The algorithm will be independent of address translation algorithm and able to capture the information from various file's extension, not limited to.EXE and.DLL. © 2015 IEEE. date: 2015 publisher: Institute of Electrical and Electronics Engineers Inc. official_url: https://www.scopus.com/inward/record.uri?eid=2-s2.0-84964221855&doi=10.1109%2fCIT%2fIUCC%2fDASC%2fPICOM.2015.147&partnerID=40&md5=31b4fee87b8bfa60fa6a6ce1986c3953 id_number: 10.1109/CIT/IUCC/DASC/PICOM.2015.147 full_text_status: none publication: Proceedings - 15th IEEE International Conference on Computer and Information Technology, CIT 2015, 14th IEEE International Conference on Ubiquitous Computing and Communications, IUCC 2015, 13th IEEE International Conference on Dependable, Autonomic and Se pagerange: 975-980 refereed: TRUE isbn: 9781509001545 citation: Ariffin, K.A.Z. and Jaafar, J. and Mahmood, A.K. and Shamsuddin, S. (2015) Tracking file's metadata from computer memory analysis. In: UNSPECIFIED.