Prior Publisher

The Association of Digital Forensics, Security and Law (ADFSL)


Current threats against typical computer systems demonstrate a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Certain attacks and types of malware exist solely in memory and leave little or no evidentiary information on nonvolatile stores such as a hard disk drive. The desire to preserve system state at the time of response may even warrant memory acquisition independent of perceived threats and the ability to analyze the acquired duplicate.

Tools capable of duplicating various types of volatile data stores are becoming widely available. Once the data store has been duplicated, current forensic procedures have no method for extrapolating further useful information from the duplicate. This paper is focused on providing the groundwork for performing forensic investigations on the data that is typically stored in a volatile data store, such as system RAM.

It is intended that, when combined with good acquisition techniques, it will be shown that it is possible to obtain more post incident response information along with less impact to potential evidence when compared to typical incident response procedures.


Burdach, M. (2007), Forensic Analysis, http://strony.aster.pl/forensics/, Accessed Jan 10, 2007.

Carrier, B., Grand, J. (2004) “A Hardware-based Memory Acquisition Procedure for Digital Investigations,” Digital Investigation. Vol1 (Issue 1):50-60

Carvey, H. (2007), Windows IR/CF Tools, http://sourceforge.net/projects/windowsir, Accessed Jan 10, 2007.

Chow J., Pfaff B., Garfinkel T.,and Rosenblum M. (2005) ‘Shredding Your Garbage: Reducing Data Lifetime Through Secure Deallocation’. 14th USENIX Security Symposium. July/August 2005. Baltimore, MD.

DFRWS (2007), DFRWS 2005 Forensics Challenge, http://dfrws.org/2005/challenge/, Accessed Jan 10, 2007. Fedora Core 4 (2006). ‘Strings man page,’ Fedora Core 4.

KB 555223 (2007),‘RAM, Virtual Memory, Pagefile and all that stuff,’ http://support.microsoft.com/default.aspx?scid=kb;en-us;555223, Accessed Jan 10, 2007.

Microsoft Corp. (2006), Debugging Tools for Windows help file. Microsoft Corp.

MSDN (2007), ‘.NET Framework FILETIME specification,’ http://msdn2.microsoft.com/en-s/library/system.runtime.interopservices.comty pes.filetime.aspx, Accessed Jan 10, 2007.

MSDN (2007), ‘Six tips for efficient memory usage,’ http://www.microsoft.com/whdc/driver/perform/mem-alloc.mspx, Accessed Jan 10, 2007.

MSDN (2007), ‘Why you cant tread a FILETIME as an int64,’ blogs.msdn.com/oldnewthing/archive/2004/08/25/220195.aspx, Accessed Jan 10, 2007.

Russinovich, M. and Solomon, D (2005). Microsoft Windows Internals. Fourth Edition. Microsoft Press. Redmond, Washington.

Schuster, A. (2007), PTFinder Version 0.3.00, http://computer.forensikblog.de/en/2006/09/ptfinder_0_3_00.html, Accessed Jan 10, 2007.

Shipley, T. and Reeve, H. (2006), Collecting Evidence from a Running Computer: A Technical and Legal Primer for the Justice Community. The National Consortium for Justice Information and Statistics.

Stover, S. and Dickerson, M. (2005), ‘Using Memory Dumps in Digital Forensics,’ ;Login: The USENIX Magazine. Volume 30, Issue 6.

United States Secret Service (2002), Best Practices for Seizing Electronic Evidence. Second Edition.

Vidas, T. (2007), NUCIA, http://nucia.unomaha.edu/tvidas/, Accessed Jan 10, 2007.



To view the content in your browser, please download Adobe Reader or, alternately,
you may Download the file to your hard drive.

NOTE: The latest versions of Adobe Reader do not support viewing PDF files within Firefox on Mac OS and if you are using a modern (Intel) Mac, there is no official plugin for viewing PDF files within the browser window.