Forensics Analysis of Windows 8.1 Physical Memory

Abstract

Memory forensic analysis is an important component of digital forensic and plays critical role in investigation of any digital crime. Volatile memory contains wealth of important information regarding current state of system. Memory forensics techniques examine RAM images to extract variety of artifacts including sensitive information such as password, email messages, encryption keys etc. This information can help investigators to reconstruct the critical events surrounding criminal use of digital devices and other information technology resources. This research work presents Windows memory forensics analysis using multiple scenarios, which delivers useful ideas to digital investigators, malware analyst and researchers. Each scenario provides examination of critical Windows artifacts that are available in physical memory. A state of the art analysis work on Windows physical memory acquisition tools assist investigators and first responders to select most appropriate acquisition tool to complete successful memory acquisition phase. Comparison of different Windows version for running processes in memory gives useful information and plays vital role in memory forensics research and development. Moreover, Windows page file analysis presents Windows behavior to manage page file and sensitive information.