On the Analysis of Information Found on Windows Application Memory

Digital forensic community feels the urge for the development of tools and techniques in volatile memory analysis. The extraction of user input from physical memory of Windows applications may reveal useful information that could be used as evidence in crime cases; the information that may not be found on traditional hard disk forensic investigations. However, there have been few digital investigations into the amount of user input recovered from Windows application memory. This paper presents on the analysis of user input stored on an application, and the forensically relevant information recovered from the memory of some commonly used Windows applications. Quantitative results of the experiments carried out on these applications will be presented