Memory Forensics

Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors.

Authors

  • Jack Dyson Sheffield Hallam University
  • Shahrzad Zargari Sheffield Hallam University

Keywords:

Digital Forensics, Memory Forensics, Memory Acquisition, Memory Analysis

Abstract

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.

DOI

Downloads

Download data is not yet available.

Published

2022-07-01

Issue

Section

Research Articles for the Regular Issue

How to Cite

[1]
“Memory Forensics: Comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors”., LAJC, vol. 9, no. 2, pp. 36–51, Jul. 2022, Accessed: Oct. 07, 2025. [Online]. Available: https://lajc.epn.edu.ec/index.php/LAJC/article/view/310

Most read articles by the same author(s)