Abstract
Volatile memory forensics has become increasingly prominent in forensic analysis and incident response. Unfortunately there is currently no forensically sound method of acquiring an image of a system's memory without attaching specialized hardware. This paper proposes the addition of a memory acquisition mechanism to the operating system, thereby removing the need to load an external program. The method minimizes the acquisition's impact on the system's state, as well as making it more difficult for malicious programs to avoid detection or interfere with the memory dump. The risks of allowing a full memory capture and some considerations on how this method would interact with rootkits are also discussed.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
