A volatile memory analysis tool for retrieval of social media evidence in windows 10 OS based workstations

Abstract

Crimes are rapidly increasing, and criminals today use digital devices to facilitate criminal activities. The majority of individuals now own at least a Personal Computer (PC). This has in turn led to Social Media being used as a key medium for information gathering and exchange. Criminals tend to search through social media platforms and extract data which will facilitate them. Additionally, social media platforms such as Facebook, Viber, Skype are used to exchange information about criminal activities. Such information relating to social media can be highly critical evidence at a forensic investigation. A variety of different tools have been necessary for forensics investigators to extract evidence from computers. The main focus on capturing traces left behind after crimes has been the data stored in hard drives. Yet, a significant amount of data is stored in volatile memory as well, and these traces might be very important evidence in solving a case. But the volatile memory is mostly not looked at. All such information exchanged through such applications has to pass through the volatile memory of the system at some point. Even though many applications tend to provide end-to-end encryption, research on volatile memory forensics shows that applications yet write unencrypted data to the RAM (Random Access Memory). This has led to a new area of research towards patterns in how data are written in the volatile memory. This will be a next step in digital forensics, which would assist in recovering evidence that would otherwise get completely lost.