Evaluating the Memory Footprint of Random Access Memory Acquisition Software [A0B-574]
Christine Utz, Marcus Thompson
The core principle of digital forensics is to preserve the state of the target system to the greatest possible extent. This is especially important in live forensics, i. e., acquisitions taking place while the system to investigate is powered on. One important source of possible evidence only available for extraction in a live setting is a computer’s random access memory (RAM), which can contain important data not available anywhere else on the system such as encryption keys or information about the system state. Hardware-based methods to extract RAM are mostly experimental and forensic examiners typically use software tools to acquire the target machine’s volatile memory. Executing these tools comes at the cost of the program itself being loaded into RAM and potentially overwriting data that could constitute valuable evidence. The ideal acquisition tool's "footprint" in both volatile and non-volatile computer memory is as small as possible. This paper analyzes the RAM and hard disk usage of selected volatile memory acquisition tools to provide forensic examiners with information on how much potential evidence is at risk when a certain tool is used.