Memory Forensics

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed.Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer’s memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed

The Comparison Performance of Digital Forensic Tools Using Additional Root Access Options

This research used MiChat and SayHi as materials for forensic investigations using three different tools, namely MOBILedit, Magnet Axiom, and Belkasoft. These three tools will show each performance in the forensic process. We also added a rooting process as an option if data cannot be extracted optimally even when using these three applications. The result of this study shows that the cases studied with processes without root access and with root access have the aim of complementing each other in obtaining evidence. So that these two processes complement each other's shortcomings. The main contribution of this research is a recommendation of a tool based on the best performance shown during the forensic process with rooting access and without rooting access. Based on the comparison, Magnet Axiom is superior with a total of 34 items of data found without root access, while MOBILedit is 30 items and 30 items for Belkasoft. While comparison using root access, Magnet Axiom and MOBILedit are superiors with a total of 36 items found in Magnet Axiom without root access, while MOBILedit is 36 items and 33 items for Belkasoft. Based on the test results, it can be concluded that the recommended tool according to the used scenario is Magnet Axiom

Memory forensics: comparing the correctness of memory captures from locked Windows 10 machines using different boot capture vectors

Memory forensics is rapidly becoming a critical part of all digital forensic investigations. The value of information stored within a computer memory is immense; failing to capture it could result in a substantial loss of evidence. However, it is becoming increasingly more common to find situations where standard memory acquisition tools do not work. The paper addresses how an investigator can capture the memory of a locked computer when authentication is not present. The proposed solution is to use a bootable memory acquisition tool, in this case, Passware Bootable Memory Imager. To enhance the findings, three different reboot methods will be tested to help identify what would happen if the recommended warm reboot is not possible. Using a warm reboot and a secure reboot, Passware Bootable Memory Imager was able to successfully acquire the memory of the locked machine, with the resulting captures being highly representative of the populated data. However, the memory samples collected after a cold reboot did not retain any populated data. These findings highlight that to capture the memory of a locked machine, the reboot method is highly successful, providing the correct method is followed