The effects of document's format, size, and storage media on memory forensics

Abstract

Main memory or RAM contains volatile but critical data about the system's state and its recent activities. Often, RAM based artifacts are hard to be found elsewhere. Digital investigators can find in this volatile data an essential information about the recent usage of a system including the used documents. Nowadays, documents are often fetched from a variety of storage media, most of which are internet based. This can complicate the digital investigation process due to the remote nature of these storage media; most of these remote files cannot be traced on the local hard disk drive (HDD) of the captured machine. However, whenever the document's contents are successfully recovered from RAM images, it can ensure the actual usage of the document. This paper studies the effects of various storage media (local and remote) on the amount of volatile artifacts of different types of documents. Experiments are designed to evaluate the effects of local hard drives, removable media, and a set of cloud based platforms such as Dropbox, Google Drive, and OneDrive on the RAM based artifacts of a used document. Results show that the recovered contents are significantly affected by the used storage media. Moreover, the document's type has an effect too. Frequently, a good ratio of the document's contents are recovered from RAM even when the document is living on the cloud, the document is closed, and the connection is terminated.