Introduction

Memory analysis is a relatively new, but increasingly relevant field. A memory image can be acquired in the same way as a physical image, but by using different tools, some of which will be discussed in this section.

The image can be stored as one of the many formats, depending on the tool used to acquire the image. Once an investigator has the image, they can then analyse the data within it.

One of the main challenges associated with memory forensics is data preservation. Although your only option in a given investigation may be to power down a system and then image the data therein, in reality this ends up having an impact on other potential data sources that might be important later on. It is vital, therefore, to have a thorough understanding of the scene you are investigating and the specific needs of the case before you decide which method to choose. Any time you interact with a system, you will alter something simply by virtue of having been there. However, memory acquisition can help to minimize the effects of the investigator on the data collected, since a memory image will sample the volatile memory at a specific time, thus creating a sort of snapshot that can then be analysed later.

In cases where an investigator arrives at a scene to find a machine powered on, the memory on the system will be volatile at that time. This means that, if you manage to acquire a memory image then and there, you will be able to see a snapshot of the computer's memory at the moment at which you acquired it. This can be very useful, especially if a suspect has recently fled a scene or has been arrested at the scene.

You will generally need administrative permissions on the computer if you want to acquire volatile memory unless you are using hardware. One such solution is CaptureGUARD Physical Memory Acquisition Hardware. It requires a small CaptureGUARD driver to be installed on the system and creates a memory dump in the standard WinDD format. You can see one of these devices in figure 2.1.

In other words, memory forensics is a complex and temperamental field. You will need to have a thorough understanding of the tool sets you are using, and any potential impacts they could have on volatile memory before you decide which to use it at a scene. However, if you do manage to acquire a memory image, it can provide a wealth of useful information for your case.