[ZHU11] D. Y. Zhu, J. Jung, D. Song, T. Kohno, and D. Wetherall, “Taint Eraser: Protecting sensitive data leaks using application-level ta int tracking,” ACM SIGOPS Oper. Syst. Rev., vol. 45, no. 1, pp. 142–154, 2011.
[ZHU02] X. Zhuang and H. H. S. Lee, “HIDE : Hardware-support for Lea kage-Immune Dynamic Execution,” pp. 1–14, 2002.
[WIN17] Windows driver developer doc team, Matt Stroshane, "Introducti on to File System Filter Drivers", https://docs.microsoft.com/enus/ windows-hardware/drivers/ifs/introduction-to-file-system-filt er-drivers, 2017
[VOL17a] The Volatility Foundation. Volatility foundation. 2017. http://ww w. volatilityfoundation.org/.
[VID10] T. Vidas, “Volatile memory acquisition via warm boot memory su rvivability,” Proc. Annu. Hawaii Int. Conf. Syst. Sci., pp. 1–6, 20 10.
[TRI14] N. Trivedi, “Study on Pagefile . sys in Windows System,” vol. 1 6, no. 2, pp. 11–16, 2014.
[SYL16] J. T. Sylve, V. Marziale, and G. G. Richard, “Modern windows hi bernation file analysis,” Digit. Investig., pp. 1–7, 2016.
[SUI07] M. Suiche, “Hibernation Fun n Profit,” Black Hat, 2007.
[STU13] St ttgen, J., & Cohen, M. (2013). Anti-forensic resilient memory acquisition. Digital Investigation. http://doi.org/10.1016/j.diin.201 3.06.012
[SNO13] K. Z. Snow, F. Monrose, L. Davi, A. Dmitrienko, C. Liebchen, an d A.-R. Sadeghi, “Just-in-time code reuse: On the effectiveness of fine-grained address space layout randomization,” in Security and Privacy (SP), 2013 IEEE Symposium on. IEEE, 2013, pp. 57 4–588.
[SIM10] Simon, M. Recovery of Skype Application Activity Data From Ph ysical Memory. http://doi.org/10.1109/ARES.2010.73, 2010
[SES07] A. Seshadri and M. Luk, “SecVisor : A Tiny Hypervisor for Lifet ime Kernel Code Integrity.”, 2007
[PET10] P. A. H. Peterson, “Cryptkeeper: Improving security with encryp ted RAM,” 2010 IEEE Int. Conf. Technol. Homel. Secur. HST 20 10, pp. 120–126, 2010.
[PET04] Petroni, Nick L.; Fraser, Timothy; Molina, Jesus; Arbaugh, Willia m A. Copilot – A Coprocessor-Based Kernel Runtime Integrity Monitor. In Proceedings of the 13th USENIX Security Symposiu m, 2004.
[OLA12b] F. Olajide, N. Savage, G. Akmayeva, and C. Shoniregun, “Extra cting Forensically Relevant Information from Windows Applicatio n,” IEEE Int. Conf. Inf. Soc., pp. 423–428, 2012.
[OLA12a] F. Olajide, N. Savage, G. Akmayeva, and C. Shoniregun, “Identif ying and Finding Forensic Evidence From Windows Application,” J. Internet Technol. Secur. Trans., vol. 1, no. 4, pp. 117–122, 2 012.
[MUL11] T. M ller, F. C. Freiling, and A. Dewald, “TRESOR runs encrypt ion securely outside RAM,” Proceeding SEC’11 Proc. 20th USE NIX Conf. Secur., p. 17, 2011.
[MSDc] MSDN, “Process Working Set”, https://msdn.microsoft.com/en-us/l ibrary/windows/desktop/ms684891(v=vs.85).aspx
[LUK05] C.-K. Luk, R. Cohn, R.Muth, H. Patil, A.Klauser, G. Lowney, S.W al- lace, V. J. Reddi, and K. Hazelwood. Pin: Building Customize d Program Analysis Tools with Dynamic Instrumentation, 2005
[LIF09] L. Su, S. Courcambeck, P. Guillemin, C. Schwarz, and R. Pacalet, “SecBus: Operating System controlled hierarchical page-based memory bus protection,” 2009 Des. Autom. Test Eur. Conf. Exh ib., pp. 570–573, 2009.
[KOR07] J. D. Kornblum, “Using every part of the buffalo in Windows me mory analysis,” Digit. Investig., vol. 4, no. 1, pp. 24–29, 2007.
[KEM12] V. P. Kemerlis, G. Portokalidis, K. Jee, A. D. Keromytis, “Libdf t: Practical Dynamic Data Flow Tracking for Commodity System s,” Proc. 8th ACM SIGPLAN/SIGOPS Conf. Virtual Exec. Enviro n. - VEE ’12, vol. 47, no. 7, p. 121, 2012.
[KAN11] Kannan, J., Altekar, G., Maniatis, P., & Chun, B.-G., Making pro grams forget: enforcing lifetime for sensitive data. Proc. of the 13th USENIX Conference on Hot Topics in Operating Systems, 23–27, 2011
[JIA13] J. Sun, H. Chen, C. Chang, and X. Li, “KERNEL CODE INTEGRIT Y PROTECTION BASED ON A VIRTUALIZED MEMORY ARCHIT ECTURE,” vol. 32, pp. 295–311, 2013.
[IQB09] Iqbal, H., Forensic Analysis of Physical Memory and Page File, 2 009
[INT17] Intel, Intel 64 and IA-32 Architectures Software Developer’s M anual Volume 3, 2017
[HUA02] A. Huang, “Keeping Secrets In Hardware,” CHES2002, pp. 213– 227, 2002.
[HOF11] O. S. Hofmann, A. M. Dunn, I. Roy, and E. Witchel, “Ensuring O perating System Kernel Integrity with OSck,” Evaluation. 2011
[HEW14] Hewlett-Packard Corporation, Intel Corporation, Microsoft Corpo ration, Phoenix Technologies Ltd., Toshiba Corporation, "Advanc ed Configuration and Power Interface Specification", 2014.
[HER14] Hermann, Uwe, "Physical memory attacks via Firewire/DMA - P art 1: Overview and Mitigation". http://www.hermann-uwe.de/blo g/physical-memory-attacks-via-firewire-dma-part-1-overviewand- mitigation, 2014.
[HEJ09] Hejazi, S. M., Talhi, C., & Debbabi, M., Extraction of forensically sensitive information from windows physical memory. Digital Inv estigation, 6(SUPPL.), 2009
[HAR11] A. F. Harvey and Data Acquisition Division Staff, "DMA Fundam entals on Various PC Platforms", 2011
[HAL08] Halderman, J. A., Schoen, S. D., Heninger, N., Clarkson, W., Pau l, W., Calandrino, J. a., … Felten, E. W. (2008). Lest We Reme mber: Cold Boot Attacks on Encryption Keys. USENIX Security Symposium, 1–16. http://doi.org/10.1145/1506409.1506429
[GUE16] S. Gueron, “Memory Encryption for General-Purpose Processor s,” no. December, 2016.
[GOT16] J. G tzfried, F. A. U. Erlangen-nuremberg, F. A. U. Erlangen-nu remberg, M. Backes, and S. N rnberger, “RamCrypt : Kernel-ba sed Address Space Encryption for User-mode Processes,” Asia CCS, pp. 919–924, 2016.
[GON12] K. Gondi, P. Bisht, and P. Venkatachari, “SWIPE : Eager Erasur e of Sensitive Data in Large Scale Systems Software,” 2012.
[ENC08] W. Enck, K. Butler, T. Richardson, P. McDaniel, and A. Smith, “Defending against attacks on main memory persistence,” Proc. - Annu. Comput. Secur. Appl. Conf. ACSAC, pp. 65–74, 2008.
[DUN12] A. M. Dunn, M. Z. Lee, S. Jana, S. Kim, M. Silberstein, Y. Xu, V. Shmatikov, and E. Witchel, “Eternal Sunshine of the Spotless Machine: Protecting Privacy with Ephemeral Channels.,” Proc. - - USENIX Symp. Oper. Syst. Des. Implement. / USENIX Assoc. USENIX Symp. Oper. Syst. Des. Implement., pp. 61–75, 2012.
[DOL09] Dolan-Gavitt, B., "Add Support for Inactive Hiberfiles to Hibinfo, Vola- tilityfoundation/volatility@552c1d8", https://github.com/vola tilityfoundation/volatility/commit/552c1d813b05a0bf8d3d1ec1f64b 3ba5f98403cc, April 2009
[DEL12] B. Delpy and B. Delpy, “mimikatz,” PhDays, 2012.
[DAR11] DABROWSKI, R., J., MUNSON, AND V., E. Is 100 Millisec- onds Too Fast? In Proceedings of the CHI Conference on Human Fac tors in Computing Systems, vol. 2 of Short talks: in- teraction t echniques, ACM, pp. 317–318. 2011
[DAE12], Daeyeop Yang, Manhyun Chung, “Research on User Data Leaka ge Prevention through Memory Initialization”, 2012
[COS16] V. Costan and S. Devadas, “Intel SGX Explained,” Cryptol. ePrin t Arch. Rep. 2016/086, p. 108, 2016.
[COM17] Comae Technologies, "Hibr2Bin", 2017
[COH14] M.Cohen, WIndows Virtual Address Translation and the Pagefile, http://rekall-forensic.blogspot.kr/2014/10/windows-virtual-addres s-translation-and.html, 2014
[CHO05] J. Chow, B. Pfaff, T. Garfinkel, and M. Rosenblum, “Shredding y our garbage: Reducing data lifetime through secure deallocatio n,” USENIX Secur. Symp., pp. 331–346, 2005.
[CHH11] S. Chhabra, B. Rogers, Y. Solihin, and M. Prvulovic, “SecureME : A Hardware-Software Approach to Full System Security,” Pro c. Int. Conf. Supercomput., pp. 108–119, 2011.
[CAR04] Carrier, B.D.; Grand, J. A hardware-based memory acquisition p rocedure for digital investigations. Digital Investigation, Volume 1(1), pp. 50–60, 2004.
[BOI06] Boileau, Adam, "Hit by a Bus: Physical Access Attacks with Fire wire". In Proceedings of Ruxcon, 2006
[BOC17] The Bochs Project, "Bochs x86 PC emulator - Bochs 2.6.9 rele ased on April 9, 2017", http://bochs.sourceforge.net/, 2017
[BIT14] A. Bittau, A. Belay, A. Mashtizadeh, D. Mazieres, and D. Boneh, `“Hacking blind,” in 2014 IEEE Symposium on Security and Priv acy. IEEE, 2014, pp. 227–242.
[BES80] BEST, R. Preventing software piracy with crypto-microprocessor s. In Proceedings of the IEEE Spring Compcon. (February 198 0), 466-469.
[BEL05] F. Bellard, “QEMU , a Fast and Portable Dynamic Translator,” p p. 41–46, 2005.
[BEC05] Becher, Michael; Dornseif, Maximillian; Klein, Christian N. "Fire Wire – All Your Memory Are Belong To Us". In Proceedings of the Annual CanSecWest Applied Security Conference, 2005.