Acquisition and Forensic Analysis of Volatile Data Stores

Abstract

The advent of more witted threats against typical computer systems demonstrates a need for forensic analysis of memory-resident data in addition to the conventional static analysis common today. Some tools are starting to become available to duplicate various types of volatile data stores. Once the data store has been duplicated, current forensic procedures have no vector for extrapolating further information from the duplicate. This thesis is focused on providing the groundwork for performing forensic investigations on the data that is typically stored in a volatile data store, such as system RAM, while creating as small an impact as possible to the state of a system. It is intended that this thesis will give insight to obtaining more post incident response information along with a smaller impact to potential evidence when compared to typical incident response procedures