Memory forensics is the process of analyzing the volatile data from the computer memory dump. It is mainly conducted to identify the unauthorized or malicious activities take place on the computer mainly those attacks which will not leave any easily identifiable tracks on the hard drive. Live memory forensics process is done through capturing the current state of the system’s memory. Through the forensic analysis of volatile memory investigator can accrue many information related to the data and the activities taken place in it such as: Process which are currently running on the system, Running executable files, IP address and other network informations, The active users and their login place, The opened file and accessing user.
A memory dump is the snapshot of the system volatile memory in a specific instance of time. memory dump forensic analysis is an important process because it can give valuable information about the state of the computer system before any malicious activity or crash occur. The RAM data contained in the dump can help to identify the reason for the incident and other related information. Through the volatile memory forensics, the investigators collect the systems volatile information and create the permanent record of the systems state. That the suspicious activities such as virus and other malware can be tracked. It will provide very vital information in the instance where the malware will not leave any trace of there activity on the system’s hard drive.
The attacking methods are more sophisticated day by day that increases the importance of live memory forensics and computer forensics tools. In today’s world, most of the network based security solutions are unable to identify the find the malware activities written/ take place directly into the computer physical memory. The forensic analysis of computer memory provides a unique insight into the current activities and network connections. In many situations, the important data that leads to unauthorized activity or attack will merely exist in the computer volatile memory. The information such as credentials, chat messages, running process, internet history which can’t be cache, etc will be loaded in the physical memory in the order of execution. These make the digital forensics more complicated during the evidence collection.
Now you all are thinking why forensic analysis of volatile memory or RAM is not a part of every computer forensic investigation. The main reasons are:
For accruing the digital data from the volatile memory the targeted system must be in running state and the collection program needs to introduce into the system and execute which will leave an acquisition footprint.
The RAM only provides evidence of committed crime due to the advancement of the malware technology.
The main difficulty faced by the investigator during the memory dump forensic analysis is that the computer shut down will flush out all the information stored in the volatile memory.
Generally, during the investigation process, the investigator mainly focuses on the activities of the user on the system and the evidence of malware activities. Sometimes it is necessary to uncover the encryption keys and password if they are considered as the evidence. But before starting the investigation the investigator should have a clear idea about what they need to establish on the target system. During the acquisition of evidence depend on the situation and process the investigator extract the evidence in various formats. Here are some most commonly used acquisition formats during the live memory forensics.
While conduction the forensic analysis of computer memory depending on the case and situation of the investigation maximum possible artifacts will collect from the running system it may be larger in size. Any program travel through the system will stay in the RAM depending on the size of the RAM. In the below section we are going to see a few types of artifacts that can be acquired from the running system while conducting volatile memory forensics.
Memory forensics is the process of acquiring evidence from computer memory. Which help the investigators to identify the crucial data and malware activities which are not left of there trace in the hard drive of the system. The proper forensic analysis of volatile memory provides detail information about the running system and its process.