This paper details an investigation aimed at identifying the application level evidence that can be extracted from volatile memory. Application level evidence indicates how the user is using an application when a memory image is collected. Commonly used Windows applications have been tested; Microsoft Word 2007, Microsoft Excel 2007, Adobe Reader 9.0, Microsoft PowerPoint 2007 and Internet Explorer 7.0. Details of what the user was doing at the time of the memory capture were found and analysed. Fragments of user information (for example, documents they were working on and the web pages they viewed) were found in various areas of memory for all applications. Both Microsoft Word and Internet Explorer stored all of the user data on contiguous memory blocks which made the evidence easy to find. However, very little evidence was found when the user was using Adobe Reader 9.0 and only fragmented evidence was found in Excel 2007 and PowerPoint 2007. The methodology and the results of this research will aid investigators in gathering and analysing forensic information from a computer system.
|Journal||Journal of Computing in Systems and Engineering|
|Publication status||Published - 2009|
- Digital Forensics, Evidence, Application Level, RAM analysis, Process, Volatile Memory