School of Information Systems

Acquiring Volatile Memory

28 Jul 2023

Volatile memory refers to a type of computer memory that requires a constant supply of power to retain its data. In other words, when the power supply is interrupted or terminated, the contents stored in volatile memory will be lost. This is in contrast to non-volatile memory, such as hard disk drives or solid-state drives, which retain their data even without power. Examples of volatile memory include random access memory (RAM) and cache memory. Volatile memory is essential for a computer’s performance as it enables the processor to access data quickly and efficiently.

Collecting evidence in digital forensics is a sensitive and volatile process that requires meticulous procedures for acquisition, storage, transmission, and preservation. It is crucial to ensure the accuracy, authenticity, integrity, and confidentiality of the data. The method used to collect digital forensic evidence depends on the type of data and digital device, and there are two methods: live acquisition and static acquisition. This article will focus on live acquisition, which involves obtaining volatile information that is dynamic in nature and changes over time. This data must be collected in real-time while the system is running, and it is typically found in the registries, cache, and RAM of digital devices through their normal interface. However, investigators must exercise great caution during live acquisition, as even a seemingly innocuous action such as browsing through files on a running computer can potentially alter or destroy existing evidence data. Volatile information is useful in establishing a logical timeline of the security incident, network connections, command history, running processes, connected peripherals and devices, and the users who logged onto the system.

 Here the type of volatile data :

  1. System information, the information pertaining to a system that serves as proof in a criminal or security incident involves the present setup and operational condition of the questionable computer, as well as important data stored in the unused areas of the hard disk drive.
  2. Network information, the data linked to a network that is saved in the doubtful system and linked to network devices.

The process of obtaining volatile memory, also known as live acquisition, often involves accessing the virtual memory or swap space. The virtual memory, which is commonly referred to as “pagefile.sys” and is created by Windows to compensate for the limited capacity of RAM memory, can usually be found in the default location of C:\pagefile.sys. Initially, the virtual memory paging file is set by Windows to be equivalent to the amount of installed RAM. As the RAM space is utilized, parts of the RAM files are transferred from the hard drive into the virtual memory through a process known as swapping. This operation occurs transparently to the user. Obtaining virtual memory is crucial in forensic acquisition since it contains essential information that was transferred from the RAM memory, such as encryption keys, user passwords, and so on.

Source:

https://www.lifars.com/2021/05/how-to-acquire-digital-evidence-for-forensic-investigation/

Joni Suhartono