Application level evidence from volatile memory

Funminiyi Olajide; Nick Savage; Ed Paper

Application level evidence from volatile memory

Funminiyi Olajide, Nick Savage, Ed Paper (Editor)

School of Computing

Research output: Contribution to journal › Article › peer-review

Abstract

This paper details an investigation aimed at identifying the application level evidence that can be extracted from volatile memory. Application level evidence indicates how the user is using an application when a memory image is collected. Commonly used Windows applications have been tested; Microsoft Word 2007, Microsoft Excel 2007, Adobe Reader 9.0, Microsoft PowerPoint 2007 and Internet Explorer 7.0. Details of what the user was doing at the time of the memory capture were found and analysed. Fragments of user information (for example, documents they were working on and the web pages they viewed) were found in various areas of memory for all applications. Both Microsoft Word and Internet Explorer stored all of the user data on contiguous memory blocks which made the evidence easy to find. However, very little evidence was found when the user was using Adobe Reader 9.0 and only fragmented evidence was found in Excel 2007 and PowerPoint 2007. The methodology and the results of this research will aid investigators in gathering and analysing forensic information from a computer system.

Original language	English
Pages (from-to)	171-175
Journal	Journal of Computing in Systems and Engineering
Volume	10
Publication status	Published - 2009

Keywords

Digital Forensics, Evidence, Application Level, RAM analysis, Process, Volatile Memory

Cite this

@article{e8eed0b0b9884055bc157b375ad22a91,

title = "Application level evidence from volatile memory",

abstract = "This paper details an investigation aimed at identifying the application level evidence that can be extracted from volatile memory. Application level evidence indicates how the user is using an application when a memory image is collected. Commonly used Windows applications have been tested; Microsoft Word 2007, Microsoft Excel 2007, Adobe Reader 9.0, Microsoft PowerPoint 2007 and Internet Explorer 7.0. Details of what the user was doing at the time of the memory capture were found and analysed. Fragments of user information (for example, documents they were working on and the web pages they viewed) were found in various areas of memory for all applications. Both Microsoft Word and Internet Explorer stored all of the user data on contiguous memory blocks which made the evidence easy to find. However, very little evidence was found when the user was using Adobe Reader 9.0 and only fragmented evidence was found in Excel 2007 and PowerPoint 2007. The methodology and the results of this research will aid investigators in gathering and analysing forensic information from a computer system. ",

keywords = "Digital Forensics, Evidence, Application Level, RAM analysis, Process, Volatile Memory",

author = "Funminiyi Olajide and Nick Savage and Ed Paper",

year = "2009",

language = "English",

volume = "10",

pages = "171--175",

journal = "Journal of Computing in Systems and Engineering",

issn = "1472-9083",

}

TY - JOUR

T1 - Application level evidence from volatile memory

AU - Olajide, Funminiyi

AU - Savage, Nick

A2 - Paper, Ed

PY - 2009

Y1 - 2009

N2 - This paper details an investigation aimed at identifying the application level evidence that can be extracted from volatile memory. Application level evidence indicates how the user is using an application when a memory image is collected. Commonly used Windows applications have been tested; Microsoft Word 2007, Microsoft Excel 2007, Adobe Reader 9.0, Microsoft PowerPoint 2007 and Internet Explorer 7.0. Details of what the user was doing at the time of the memory capture were found and analysed. Fragments of user information (for example, documents they were working on and the web pages they viewed) were found in various areas of memory for all applications. Both Microsoft Word and Internet Explorer stored all of the user data on contiguous memory blocks which made the evidence easy to find. However, very little evidence was found when the user was using Adobe Reader 9.0 and only fragmented evidence was found in Excel 2007 and PowerPoint 2007. The methodology and the results of this research will aid investigators in gathering and analysing forensic information from a computer system.

AB - This paper details an investigation aimed at identifying the application level evidence that can be extracted from volatile memory. Application level evidence indicates how the user is using an application when a memory image is collected. Commonly used Windows applications have been tested; Microsoft Word 2007, Microsoft Excel 2007, Adobe Reader 9.0, Microsoft PowerPoint 2007 and Internet Explorer 7.0. Details of what the user was doing at the time of the memory capture were found and analysed. Fragments of user information (for example, documents they were working on and the web pages they viewed) were found in various areas of memory for all applications. Both Microsoft Word and Internet Explorer stored all of the user data on contiguous memory blocks which made the evidence easy to find. However, very little evidence was found when the user was using Adobe Reader 9.0 and only fragmented evidence was found in Excel 2007 and PowerPoint 2007. The methodology and the results of this research will aid investigators in gathering and analysing forensic information from a computer system.

KW - Digital Forensics, Evidence, Application Level, RAM analysis, Process, Volatile Memory

M3 - Article

SN - 1472-9083

VL - 10

SP - 171

EP - 175

JO - Journal of Computing in Systems and Engineering

JF - Journal of Computing in Systems and Engineering

ER -

Application level evidence from volatile memory

Abstract

Keywords

Fingerprint

Cite this