Vol Net: a framework for analysing network-based artefacts from volatile memory

摘要

Volatile memory contains an affluence of information regarding the current state of the running system. Memory forensics techniques inspect RAM to extract information such as credentials, encryption keys, network activity and logs, malware, MFT records and the set of processes, open file descriptors currently executed by the operating system, etc. To achieve retrievability of potential artefacts, a memory dump should be taken prior to shutting down the system. It is the most vital aspect for carving information residing into the volatile memory. Volatile memory dump is used for offline investigation of volatile data. The analysis provides information regarding the activities being performed over the running system. This research focuses on our developed framework called as VolNet through which investigator can extract and analyse the artefacts related to network communication, social chats, cloud-based artefacts, private browsing and anonymous surfing and other potential artefacts that can be obtained from RAM dumps of live systems.