Premium
In‐Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes
Author(s) -
McDown Robert J.,
Varol Cihan,
Carvajal Leonardo,
Chen Lei
Publication year - 2016
Publication title -
journal of forensic sciences
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.715
H-Index - 96
eISSN - 1556-4029
pISSN - 0022-1198
DOI - 10.1111/1556-4029.12979
Subject(s) - computer science , operating system , software , interface (matter) , computer hardware , computer memory , embedded system , semiconductor memory , bubble , maximum bubble pressure method
The comparison studies on random access memory ( RAM ) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64‐bit W indows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLL s, modified registry keys, and invoked files during processing were compared. We observed that W indows M emory R eader and B elkasoft's L ive R am C apturer leaves the least fingerprints in memory when loaded. On the other hand, P ro D iscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not‐wanted artifacts introduced to the system. While B elkasoft's L ive R am C apturer is the fastest to obtain an image of the memory, P ro D iscover takes the longest time to do the same job.