Memory Forensics: Review of Acquisition and Analysis Techniques.

摘要

This document presents an overview of the most common memory forensics techniques used in the acquisition and analysis of a system's volatile memory. Memory forensics rose from obscurity in 2005 in response to a challenge issued by the Digital Forensics Research Workshop (DFRWS). Since then, investigators and researchers alike have begun to recognise the important role that memory forensics can play in a robust investigation. Volatile memory, or Random Access Memory (RAM), contains a wealth of information regarding the current state of a device. Memory forensics techniques examine RAM to extract information such as passwords, encryption keys, network activity, open files and the set of processes and threads currently running within an operating system. This information can help investigators reconstruct the events surrounding criminal use of technology or computer security incidents.