TY - JOUR
T1 - In-Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes
AU - Mcdown, Robert J.
AU - Varol, Cihan
AU - Carvajal, Leonardo
AU - Chen, Lei
N1 - Publisher Copyright:
© 2016 American Academy of Forensic Sciences.
PY - 2015/11/17
Y1 - 2015/11/17
N2 - The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64-bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not-wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.
AB - The comparison studies on random access memory (RAM) acquisition tools are either limited in metrics or the selected tools were designed to be executed in older operating systems. Therefore, this study evaluates widely used seven shareware or freeware/open source RAM acquisition forensic tools that are compatible to work with the latest 64-bit Windows operating systems. These tools' user interface capabilities, platform limitations, reporting capabilities, total execution time, shared and proprietary DLLs, modified registry keys, and invoked files during processing were compared. We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded. On the other hand, ProDiscover and FTK Imager perform poor in memory usage, processing time, DLL usage, and not-wanted artifacts introduced to the system. While Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory, Pro Discover takes the longest time to do the same job.
KW - Computer memory acquisition software
KW - Freeware
KW - RAM acquisition tools
KW - Shareware
UR - https://digitalcommons.georgiasouthern.edu/information-tech-facpubs/37
UR - https://doi.org/10.1111/1556-4029.12979
U2 - 10.1111/1556-4029.12979
DO - 10.1111/1556-4029.12979
M3 - Article
SN - 0022-1198
VL - 61
JO - Journal of Forensic Sciences
JF - Journal of Forensic Sciences
ER -