1. Field of the Invention
The present invention relates to a method and apparatus for digital forensics, and more particularly, to a method and apparatus for digital forensics capable of obtaining detailed information using a feature of data used as a virtual memory in a computing environment.
2. Discussion of Related Art
Digital forensics is the field of finding important evidence using computer-generated information in criminal investigations. With the development of information technology, most information is being digitized. Thus, in criminal investigations, the sources of evidence and information are changing from analog media such as documents to digital media such as computer hard disks.
However, since digital information has the property of being easily deleted, it is difficult to obtain relevant evidence. In such a digital environment, there is need for a method of obtaining information from digital storage media, such as a deleted or formatted hard disk. Here, the corresponding field is referred to as digital forensics.
Meanwhile, a Windows page file (pagefile.sys) used in digital forensics denotes a part of a hard disk used as a memory to expand a physical memory capacity. The page file stores data in units of pages according to a Windows memory management mechanism. Pages stored in the page file do not relate to each other, but one page contains data providing the same function. Information required for managing the page file is stored in the memory upon operation of Windows, and disappears when the system is shut down. Thus, it is impossible to obtain the management information on the stored pages from the page file alone. In other words, in conventional digital forensics, only strings can be extracted from the page file due to lack of available data related to the page file. Consequently, a password, a Uniform Resource Locator (URL) and an email address can be extracted by string searching, but it is impossible to extract further information.