Physical memory: digital evidence for law enforcement
Loading...
Authors
Currier, Christopher C.
Issue Date
2010
Type
Thesis
Language
en
Keywords
Forensic sciences
Alternative Title
Abstract
While seizing computer a atene law enforcement officers normally pull the plug. By doing this data in memory such as an instant message may be lost forever. So investigators are now collecting volatile data on scene. Live response tools collect data that include the system's active processes, connections, and physical memory (RAM). RAM dump tools must be practical for processing computers during search warrants. Law enforcement balances collecting volatile data with minimizing their interaction with the computer. Information obtained from a RAM dump may alleviate the need to run additional tools. Many sources suggest examiners use text searches for finding evidence in physical memory. However, many times examiners do not know what applications or user names were used. This writer will look at the RAM dump tools froma practical standpoint and examine the images for the information law enforcement often seeks.