Providing a Foundation for Analysis of Volatile Data Stores

Abstract

Current threats against typical computer systems demonstrate a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Certain attacks and types of malware exist solely in memory and leave little or no evidentiary information on nonvolatile stores such as a hard disk drive. The desire to preserve system state at the time of response may even warrant memory acquisition independent of perceived threats and the ability to analyze the acquired duplicate. Tools capable of duplicating various types of volatile data stores are becoming widely available. Once the data store has been duplicated, current forensic procedures have no method for extrapolating further useful information from the duplicate. This paper is focused on providing the groundwork for performing forensic investigations on the data that is typically stored in a volatile data store, such as system RAM. It is intended that, when combined with good acquisition techniques, it will be shown that it is possible to obtain more post incident response information along with less impact to potential evidence when compared to typical incident response procedures.