Memory Forensics

Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors.

Authors

  • Jack Dyson Sheffield Hallam University
  • Shahrzad Zargari Sheffield Hallam University

Keywords:

Digital Forensics, Memory Forensics, Memory Acquisition, Memory Analysis

Abstract

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.

DOI

Downloads

Download data is not yet available.
Vol 9 No 2 (2022)

Downloads

Published

2022-07-01

Issue

Vol. 9 No. 2 (2022)

Section

Research Articles for the Regular Issue

License

Licencia Creative Commons

 Copyright Notice

Authors who publish this journal agree to the following terms:

  1. Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution-Non-Commercial-Share-Alike 4.0 International 4.0 that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
  2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
  3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.

Disclaimer

LAJC in no event shall be liable for any direct, indirect, incidental, punitive, or consequential copyright infringement claims related to articles that have been submitted for evaluation, or published in any issue of this journal. Find out more in our Disclaimer Notice.

How to Cite

[1]
“Memory Forensics: Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors”., LAJC, vol. 9, no. 2, pp. 36–51, Jul. 2022, Accessed: Oct. 07, 2025. [Online]. Available: https://lajc.epn.edu.ec/index.php/LAJC/article/view/310

Most read articles by the same author(s)