Tools for Collecting Volatile Data: A Survey Study

Leonardo Carvajal; Cihan Varol; Lei Chen

doi:10.1109/TAEECE.2013.6557293

Tools for Collecting Volatile Data: A Survey Study

Leonardo Carvajal, Cihan Varol, Lei Chen

Information Technology

Sam Houston State University

Research output: Contribution to book or proceeding › Chapter

4 Scopus citations

Abstract

Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM.

Original language	American English
Title of host publication	Proceedings of the International Conference on Technological Advances in Electrical, Electronics and Computer Engineering
DOIs	https://doi.org/10.1109/TAEECE.2013.6557293
State	Published - May 9 2013

Disciplines

Databases and Information Systems

Keywords

Forensic tools
Memory aquisition
Volatile data

Access to Document

10.1109/TAEECE.2013.6557293License: Unspecified

Cite this

@inbook{805d9570722a456a81ca1e98413fbbc2,

title = "Tools for Collecting Volatile Data: A Survey Study",

abstract = " Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM.",

keywords = "Forensic tools, Memory aquisition, Volatile data",

author = "Leonardo Carvajal and Cihan Varol and Lei Chen",

note = "Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied",

year = "2013",

month = may,

day = "9",

doi = "10.1109/TAEECE.2013.6557293",

language = "American English",

booktitle = "Proceedings of the International Conference on Technological Advances in Electrical, Electronics and Computer Engineering",

}

TY - CHAP

T1 - Tools for Collecting Volatile Data: A Survey Study

AU - Carvajal, Leonardo

AU - Varol, Cihan

AU - Chen, Lei

N1 - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied

PY - 2013/5/9

Y1 - 2013/5/9

N2 - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM.

AB - Volatile information is a critical element when conducting a digital investigation. As a result, commercial and open source tools are becoming more varied in which options they offer to users. This paper compares six forensic tools including: FTK Imager, Pro Discover, Win32dd, Nigilant32, Memoryze, and Helix3 (dd). The evaluation of each forensic tool is based on the following capabilities: user interface, reporting, processing time, training, and leaving fingerprints or artifacts. We have observed that if time is the concern, command line forensic tools such as Win32dd and Memoryze are faster in acquiring physical memory contents than the graphical user interface tools such as FTK imager, ProDiscover, Nigilant32, and Helix3. In addition, Win32dd leaves the least fingerprints using 13.55 MB in memory when loaded. On the other hand, FKT Imager leaves the most fingerprints using 155 MB of RAM.

KW - Forensic tools

KW - Memory aquisition

KW - Volatile data

UR - https://doi.org/10.1109/TAEECE.2013.6557293

U2 - 10.1109/TAEECE.2013.6557293

DO - 10.1109/TAEECE.2013.6557293

M3 - Chapter

BT - Proceedings of the International Conference on Technological Advances in Electrical, Electronics and Computer Engineering

ER -

Tools for Collecting Volatile Data: A Survey Study

Abstract

Disciplines

Keywords

Access to Document

Other files and links

Fingerprint

Cite this