Abstract

Digital investigation is becoming an increasing concern. Many digital forensic tools are being developed to deal with the challenge of investigating digital crimes. Acquisition of volatile memory is one of the vital steps of digital forensics process. Passwords data, indications of digital forensics methods, memory malware may be contained in volatile data which may overlooked by the investigator. The Success of memory acquisition mainly depends on the effectiveness of the memory acquisition tool. This paper compares memory forensics tools based on processing time and left artifacts on volatile memory. Furthermore, we examined how the processing time of the tools varies in terms of different volatile memory size. In order to conduct this work, we use the following tools: FTK Imager, Pro Discover, Nigilant32, Helix3(dd), OSForensics and Belkasoft RAM Capturer. The results show that Belkasoft RAM Capturer has the least amount of left artifacts, and it has also the lowest processing time. Moreover, this work concludes that tested tools are significantly different based on left artifacts on the volatile memory with 95% confidence level. Also, statistically, increasing the memory size × times does not increase the processing time × times of the tools.

Full Text

Published Version

Talk to us

Join us for a 30 min session where you can share your feedback and ask us any queries you have

Schedule a call

Disclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.