Forensic memory evidence of windows application

摘要

In modern digital investigations, forensic sensitive information can be gathered from the physical memory of computer systems. Digital forensic community feels the urge towards accurate data collection, preservation, examination, validation, data analysis and presentation. This investigative process has become an essential part of digital investigation. The extraction of forensically relevant evidence from the physical memory can reveals users' actions. This research will report the amount of evidence that can be extracted and how the evidence changes with the length of time that the system is switched on and the application is still opened. In this experiment, the quantitative assessment of user input on the most commonly used applications will be presented.