Memory Forensics

Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors.

  • Jack Dyson Sheffield Hallam University
  • Shahrzad Zargari Sheffield Hallam University
Keywords: Digital Forensics, Memory Forensics, Memory Acquisition, Memory Analysis

Abstract

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.

DOI

Downloads

Download data is not yet available.

References

A. Case and G. Richard III, “Memory forensics: The path forward,” Digital Investigation, vol. 20, pp. 23-33, 2017.

A. Chetry and U. Sharma, “Memory Forensics Analysis for Investigation of Online Crime - A Review,” in 6th International Conference on Computing for Sustainable Global Development, Delhi, 2019.

C. Tardi, “Moore’s Law,” 23 February 2021. [Online]. Available: https://n9.cl/nywim

J. Williams, “ACPO Good Practice Guide for Digital Evidence,” Association of Chief Police Officers, London, 2011.

Lucideus, “Windows Volatile Memory Acquisition & Forensics 2018 | Lucideus Forensics,” 29 October 2018. [Online]. Available: https://medium.com/@lucideus/windows-volatile-memory-acquisition-forensics-2018-lucideus-forensics-3f297d0e5bfd.

M. Martínez, “Impact of Tools on The Acquisition of RAM Memory,” The International Journal of Cyber Forensics and Advanced Threat Investigations, vol. 1, pp. 3-17, 2021.

M. Faiz and W. Prabowo, “Comparison of Acquisition Software for Digital Forensics Purposes,” Kinetik: Game Technology, Information System, Computer Network, Computing, Electronics, and Control, vol. 4, pp. 37-44, 2019.

T. Mahesan, “Comparison of Memory Acquisition Software for Windows,” 26 Dec 2020. [Online]. Available: https://thanursan.medium.com/comparison-of-memory-acquisition-software-for-windows-e8c6d981db23.

T. Latzo, R. Palutke and F. Freiling, “A universal taxonomy and survey of forensic memory acquisition techniques,” Digital Investigation, vol. 28, pp. 56-69, 2019.

T. Latzo, M. Schulze and F. Freiling, “Leveraging Intel DCI for Memory Forensics,” in The Digital Forensic Research Conference, USA, 2021.

T. Vidas, “Volatile Memory Acquisition via Warm Boot Memory Survivability,” in 43rd Hawaii International Conference on System Sciences, Hawaii, 2010.

S. Vömel and F. Freiling, “Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition,” Digital Investigation, vol. 9, pp. 125-137, 2012.

M. Gruhn and F. Freiling, “Evaluating atomicity, and integrity of correct memory acquisition methods,” Digital Investigation, vol. 16, pp. s1-s10, 2016.

M. Ligh, A. Case, J. Levy and A. Walters, The art of memory forensics: detecting malware and threats in Windows, Linux and Mac memory, New York: Wiley, 2014.

Y. Gourenko, “How to use Passware Bootable memory Imager,” 19 Oct 2021. [Online]. Available: https://support.passware.com/hc/en-us/articles/1500000308641-How-to-use-Passware-Bootable-Memory-Imager.

A. Case, “Volatility Wiki,” 17 April 2020. [Online]. Available: https://github.com/volatilityfoundation/volatility/wiki.

VMware, “Configuring and Managing Virtual Machines,” 31 May 2019. [Online]. Available: https://docs.vmware.com/en/VMware-Workstation-Pro/16.0/com.vmware.ws.using.doc/GUID-62F39498-1492-4774-A38D-1EDD3DA3C046.html.

Published
2022-07-01
How to Cite
[1]
J. Dyson and S. Zargari, “Memory Forensics”, LAJC, vol. 9, no. 2, pp. 36-51, Jul. 2022.
Section
Research Articles for the Regular Issue