Skip to main content
SpringerLink
Log in

Enhancing Reliability During Physical Memory Forensics: Strategies and Practices

  • Original Research
  • Published:
SN Computer Science Aims and scope Submit manuscript

Abstract

Over the past decade, forensic investigators have incorporated memory forensics as a critical part of their investigation. Memory forensics yield substantial results that otherwise would be lost if the traditional “pull the plug” procedure is followed. However, physical memory is characterized by its dynamic and volatile nature that constantly changes the state of memory. This gives rise to challenges that reduce the reliability of physical memory forensics due to a lack of correctness, completeness, accuracy, or consistency of results. While contemporary work is focused on the acquisition or analysis of memory artifacts, little work has been done to ensure the reliability during memory forensics process. This paper presents the critical analysis of reliability in current date memory forensics and is an attempt to provide a thorough and systematic approach to ensure reliability during physical memory forensics. In the scope of this motive, the paper surveys the various memory management aspects that are crucial for reconstructing reliable memory artifacts. This includes identifying and exploring physical memory address layout, memory address space, memory address translation, memory access methods, or the low-level internal memory data structures, upon which memory forensics is reliant. The paper then identifies the prominent challenges faced during the memory forensics process and proposes a set of practices and possible suggestions to be followed or considered at different stages of physical memory forensics. These practices, if implemented, help to achieve maximum evidence reliability. Finally, a series of experiments are performed using three infamous memory acquisition tools: FTK Imager, Magnet RAM Capture, and Belkasoft RAM Capturer, on 32 GB and 16 GB Windows 10 machines to support the proposed claims. The paper also sketches the important future directions in memory forensics reliability.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Data availability

The authors confirm that the data supporting the findings of this study is available within the article. Due to the nature of this research, no supplementary or supporting data is available for this paper. No data sets were used in this research. The experiments were performed on live machines.

References

  1. Nyholm H, et al. The evolution of volatile memory forensics. J Cybersecur Privacy. 2022;2(3):556–72. https://doi.org/10.3390/jcp2030028.

    Article  Google Scholar 

  2. Mulani A, Kothari S. The physical memory acquisition and its applications. J Web Dev Web Desig. 2022;7(3):11–21.

    Google Scholar 

  3. Kara I. Fileless malware threats: recent advances, analysis approach through memory forensics and research challenges. Expert Syst Appl. https://doi.org/10.1016/j.eswa.2022.119133.

  4. Case A, Richard GG. Memory forensics: the path forward. Digit Investig. 2017;20:23–33. https://doi.org/10.1016/j.diin.2016.12.004.

    Article  Google Scholar 

  5. Hamid I, Alabdulhay A, Hafizur Rahman MM. A systematic literature review on volatility memory forensics. In: Smys S, João Manuel R, Tavares S, Fuqian S, editors. Computational vision and bio-inspired computing. advances in intelligent systems and computing. Singapore: Springer; 2023, pp. 589–600. https://doi.org/10.1007/978-981-19-9819-5_42.

  6. Betz C, Garner Jr GM, Mora RJ. https://dfrws.org/conferences/dfrws-usa-2005/. Accessed 3 Jan 2024.

  7. Stoykova R, Andersen S, Franke K, Axelsson S. Reliability assessment of digital forensic investigations in the Norwegian police. Forensic Sci Int Dig Investig. 2022. https://doi.org/10.1016/j.fsidi.2022.301351.

    Article  Google Scholar 

  8. Conlan K, Baggili I, Breitinger F. Anti-forensics: furthering digital forensic science through a new extended, granular taxonomy. In: DFRWS 2016 USA—proceedings of the 16th Annual USA Digital Forensics Research Conference, Digital Forensic Research Workshop; 2016, pp. S66–S75. https://doi.org/10.1016/j.diin.2016.04.006.

  9. Parida T, Nath K, Das S. SAM: a mechanism to facilitate smear-aware forensic analysis of volatile system memory. J Appl Secur Res. 2022. https://doi.org/10.1080/19361610.2022.2161972.

    Article  Google Scholar 

  10. Shree R, Kant Shukla A, Prakash Pandey R, Shukla V, Bajpai D. Memory forensic: acquisition and analysis mechanism for operating systems. Mater Today Proc. 2021. https://doi.org/10.1016/j.matpr.2021.05.270.

    Article  Google Scholar 

  11. Wilson EX. Finding forensic evidence in the operating system’s graphical finding forensic evidence in the operating system’s graphical user interface user interface. 2022. https://digitalcommons.lsu.edu/gradschool_theses

  12. Bowling H, Seigfried-Spellar K, Karabiyik U, Rogers M. We are meeting on microsoft teams: forensic analysis in windows, android, and iOS operating systems. J Forensic Sci. 2023;68(2):434–60. https://doi.org/10.1111/1556-4029.15208.

    Article  Google Scholar 

  13. Ligh MH, Case A, Levy J, Walters AA. The art of memory forensics: detecting Malware and Threats in Windows, Linux, and Mac Memory. New York: Wiley; 2014.

    Google Scholar 

  14. Dolan-Gavitt B. The VAD tree: a process-eye view of physical memory. Digit Investig. 2007;4:62–4. https://doi.org/10.1016/j.diin.2007.06.008.

    Article  Google Scholar 

  15. Dolan-Gavitt B. Forensic analysis of the Windows registry in memory. Digit Investig. 2008. https://doi.org/10.1016/j.diin.2008.05.003.

    Article  Google Scholar 

  16. Okolica J, Peterson GL. Extracting the windows clipboard from physical memory. Digit Investig. 2011. https://doi.org/10.1016/j.diin.2011.05.014.

    Article  Google Scholar 

  17. Vömel S, Lenz H. Visualizing indicators of rootkit infections in memory forensics. In: Proceedings—7th International Conference on IT Security Incident Management and IT Forensics, IMF 2013; 2013, pp. 122–139. https://doi.org/10.1109/IMF.2013.12.

  18. Vömel S, Freiling FC. A survey of main memory acquisition and analysis techniques for the windows operating system. Digit Investig. 2011;8(1):3–22. https://doi.org/10.1016/j.diin.2011.06.002.

    Article  Google Scholar 

  19. Latzo T, Palutke R, Freiling F. A universal taxonomy and survey of forensic memory acquisition techniques. Digit Investig. 2019;28:56–69. https://doi.org/10.1016/j.diin.2019.01.001.

    Article  Google Scholar 

  20. Stüttgen J, Cohen M. Robust linux memory acquisition with minimal target impact. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2014 EU, Digital Forensic Research Workshop; 2014, pp. S112–S119. https://doi.org/10.1016/j.diin.2014.03.014.

  21. Socała A, Cohen M. Automatic profile generation for live linux memory analysis. In: DFRWS 2016 EU—Proceedings of the 3rd Annual DFRWS Europe, Digital Forensic Research Workshop; 2016, pp. S11–S24. https://doi.org/10.1016/j.diin.2016.01.004.

  22. Gruhn M, Müller T. On the practicability of cold boot attacks. In: Proceedings—2013 International Conference on availability, reliability and security, ARES 2013; 2013, pp. 390–397. https://doi.org/10.1109/ARES.2013.52.

  23. Block F, Dewald A. Linux memory forensics: dissecting the user space process heap. In: DFRWS 2017 USA—Proceedings of the 17th Annual DFRWS USA, Digital Forensic Research Workshop; 2017, pp. S66–S75. https://doi.org/10.1016/j.diin.2017.06.002.

  24. Otsuki Y, Kawakoya Y, Iwamura M, Miyoshi J, Ohkubo K. Building stack traces from memory dump of Windows x64. In: DFRWS 2018 EU—Proceedings of the 5th Annual DFRWS Europe, Digital Forensic Research Workshop; 2018, pp. S101–S110. https://doi.org/10.1016/j.diin.2018.01.013.

  25. Stüttgen J, Vömel S, Denzel M. Acquisition and analysis of compromised firmware using memory forensics. In: Proceedings of the digital forensic research conference, DFRWS 2015 EU, Digital Forensic Research Workshop; 2015, pp. S50–S60. https://doi.org/10.1016/j.diin.2015.01.010.

  26. Oliveri A, Balzarotti D. In the land of MMUs: multiarchitecture OS-agnostic virtual memory forensics. ACM Trans Priv Secur. 2022. https://doi.org/10.1145/3528102.

    Article  Google Scholar 

  27. Richard GG, Case A. In lieu of swap: analyzing compressed RAM in Mac OS X and Linux. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2014 USA, Digital Forensic Research Workshop; 2014, pp. S3–S12. https://doi.org/10.1016/j.diin.2014.05.011.

  28. Palutke R, Freiling F. Styx: countering robust memory acquisition. In: DFRWS 2018 EU—Proceedings of the 5th Annual DFRWS Europe, Digital Forensic Research Workshop; 2018, pp. S18–S28. https://doi.org/10.1016/j.diin.2018.01.004.

  29. Zhang N, Zhang R, Sun K, Lou W, Hou YT, Jajodia S. Memory forensic challenges under misused architectural features. IEEE Trans Inf Forensics Secur. 2018;13(9):2345–58. https://doi.org/10.1109/TIFS.2018.2819119.

    Article  Google Scholar 

  30. Palutke R, Block F, Reichenberger P, Stripeika D. Hiding process memory via anti-forensic techniques. Forensic Sci Int Digit Investig. 2020. https://doi.org/10.1016/j.fsidi.2020.301012.

    Article  Google Scholar 

  31. Uroz D, Rodríguez RJ. Characteristics and detectability of Windows auto-start extensibility points in memory forensics. Digit Investig. 2019;28:S95–104. https://doi.org/10.1016/j.diin.2019.01.026.

    Article  Google Scholar 

  32. Sunde N, Dror IE. A hierarchy of expert performance (HEP) applied to digital forensics: reliability and biasability in digital forensics decision making. Forensic Sci Int Digit Investig. 2021. https://doi.org/10.1016/j.fsidi.2021.301175.

    Article  Google Scholar 

  33. Hughes N, Karabiyik U. Towards reliable digital forensics investigations through measurement science. WIREs Forensic Sci. 2020. https://doi.org/10.1002/wfs2.1367.

    Article  Google Scholar 

  34. Stoykova R, Franke K. Reliability validation enabling framework (RVEF) for digital forensics in criminal investigations. Forensic Sci Int Digit Investig. 2023. https://doi.org/10.1016/j.fsidi.2023.301554.

    Article  Google Scholar 

  35. Horsman G, David Goldman T. Framework for reliable experimental design (FRED): A research framework to ensure the dependable interpretation of digital data for digital forensics. http://www.ref.ac.uk/

  36. Vömel S, Freiling FC. Correctness, atomicity, and integrity: defining criteria for forensically-sound memory acquisition. Digit Investig. 2012;9(2):125–37. https://doi.org/10.1016/j.diin.2012.04.005.

    Article  Google Scholar 

  37. Reina A, Fattori A, Pagani F, Cavallaro L, Bruschi D. When hardware meets software. In: Proceedings of the 28th Annual Computer Security Applications Conference, New York, NY, USA: ACM; 2012, pp. 79–88. https://doi.org/10.1145/2420950.2420962.

  38. Vömel S, Stüttgen J. An evaluation platform for forensic memory acquisition software. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2013 USA, Digital Forensic Research Workshop; 2013, pp. S30–S40. https://doi.org/10.1016/j.diin.2013.06.004.

  39. Gruhn M. Windows NT pagefile.sys virtual memory analysis. In: Proceedings—9th International Conference on IT Security Incident Management and IT Forensics, IMF 2015, Institute of Electrical and Electronics Engineers Inc.;2015, pp. 3–18. https://doi.org/10.1109/IMF.2015.10.

  40. Gruhn M, Freiling FC. Evaluating atomicity, and integrity of correct memory acquisition methods. In: DFRWS 2016 EU—Proceedings of the 3rd Annual DFRWS Europe, Digital Forensic Research Workshop; 2016, pp. S1–S10. https://doi.org/10.1016/j.diin.2016.01.003.

  41. Pagani F, Fedorov O, Balzarotti D. Introducing the temporal dimension to memory forensics. ACM Trans Priv Secur. 2019. https://doi.org/10.1145/3310355.

    Article  Google Scholar 

  42. Latzo T, Erlangen-Nürnberg FAU, Schulze M, Freiling F. Digital forensic research conference leveraging intel DCI for memory forensics. https://dfrws.org

  43. Solomon DA, Russinovich ME, Alex I. Microsoft windows internals. 5th ed. Microsoft Press; 2009. p. 763. ISBN: 9780735625303.

  44. Sachowski J. Understanding forensic readiness. In: Ivtchenko D, editor, Implementing digital forensic readiness from reactive to proactive process. New York: Elsevier; 2016, pp. 45–52. https://doi.org/10.1016/C2015-0-00701-8.

  45. Bankole F, Taiwo A, Claims I. An extended digital forensic readiness and maturity model. Forensic Sci Int Digit Investig. 2022. https://doi.org/10.1016/j.fsidi.2022.301348.

    Article  Google Scholar 

  46. Brezinski D, Killalea T. Guidelines for evidence collection and archiving. 2002. https://doi.org/10.17487/rfc3227.

  47. Moser A, Cohen MI. Hunting in the enterprise: forensic triage and incident response. Digit Investig. 2013;10(2):89–98. https://doi.org/10.1016/j.diin.2013.03.003.

    Article  Google Scholar 

  48. Shiaeles S, Chryssanthou A, Katos V. On-scene triage open source forensic tool chests: are they effective? Digit Investig. 2013;10(2):99–115. https://doi.org/10.1016/j.diin.2013.04.002.

    Article  Google Scholar 

  49. Shaw A, Browne A. A practical and robust approach to coping with large volumes of data submitted for digital forensic examination. Digit Investig. 2013;10(2):116–28. https://doi.org/10.1016/j.diin.2013.04.003.

    Article  Google Scholar 

  50. Stüttgen J, Cohen M. Anti-forensic resilient memory acquisition. In: Proceedings of the Digital Forensic Research Conference, DFRWS 2013 USA, Digital Forensic Research Workshop; 2013, pp. S105–S115. https://doi.org/10.1016/j.diin.2013.06.012.

  51. Haruyama T, Suzuki H. One-byte modification for breaking memory forensic analysis. In: Proceedings of the Black Hat Europe, Amsterdam, The Netherlands, 14–16 March.

  52. Horsman G. Tool testing and reliability issues in the field of digital forensics. Digit Investig. 2019;28:163–75. https://doi.org/10.1016/j.diin.2019.01.009.

    Article  Google Scholar 

  53. Marshall AM. Digital forensic tool verification: an evaluation of options for establishing trustworthiness. Forensic Sci Int Digit Investig. 2021. https://doi.org/10.1016/j.fsidi.2021.301181.

    Article  Google Scholar 

  54. Sunde N. Strategies for safeguarding examiner objectivity and evidence reliability during digital forensic investigations. Forensic Sci Int Digit Investig. 2022. https://doi.org/10.1016/j.fsidi.2021.301317.

    Article  Google Scholar 

Download references

Acknowledgements

This work has been supported by the Department of Science and Technology (DST), Ministry of Science and Technology, Government of India, under its project grant no. DST/INSPIRE Fellowship/2017/IF170301.

Author information

Authors and Affiliations

  1. Department of Electronics and Instrumentation Technology, University of Kashmir, Srinagar, India

    Mariya Shafat Kirmani & M. Tariq Banday

Authors
  1. Mariya Shafat Kirmani
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. M. Tariq Banday
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Mariya Shafat Kirmani.

Ethics declarations

Conflict of interests

The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kirmani, M.S., Banday, M.T. Enhancing Reliability During Physical Memory Forensics: Strategies and Practices. SN COMPUT. SCI. 5, 201 (2024). https://doi.org/10.1007/s42979-023-02553-y

Download citation

  • Received:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s42979-023-02553-y

Keywords

Search

Navigation