RAM data significance in Digital Forensics

2019-09-24 RAM Memory Forensics Volatile

유혜민
Intelligent digital investigation tools

Last semester, I made memory dump file for analyzing trace remaining after using Tor-browser. However, my boss said it is useless because that file was available to get only when the computer kept power on. After that I thought the RAM data are so volatile that forensic investigators really don’t care about when do investigation. However, today professor mentioned about RAM evidence in class, so I thought it can be important in some cases even if it has volatile properties. And then I found this paper explaining about the significance of volatile data.

This is the summary of the paper, RAM data significance in Digital Forensics (2015).

Live Data Forensics

It is defined as volatile or partially volatile computer data which disappear on shutting down. Most investigators normally analyze the data from HDD, CD/DVD, USB memories known as post-mortem analysis. However, for knowing live data, we have to analyze Pagefile, Hibernation file, Crash Dump files and Random Access Memory (RAM).

Random Access Memory (RAM)

All data made by users pass through RAM first. All information stored in RAM tell us specific time of what happened while data in the hard disk show that in general.

Importance of RAM analysis

Using RAM investigators can figure out information that is more restricted in traditional post-mortem analysis. Investigators have difficulty to access encrypted data using hard disks and USB. They need to crack it by using tool. However, the data that users entered their passwords are being stored in RAM. It is possible to hide data in RAM to make systems endanger by malware. We can understand the way the computer used when we detect malware.

Information and Data that can be found in the RAM

Reference