Memory Acquisition and Analysis - RAM Information

Why is memory acquisition and analysis important? What types of information can be acquired from RAM that may not be available on a hard drive? 


Memory acquisition and analysis is important because it includes the memory that was stored before the system crash that provides experts with diagnostic information at the time of the crash and contains a code that caused the crash. 

Through the practice of memory forensics, experts are supplied with run-time system activity, such as open network connections or recently executed commands &processes. Before programs are executed on the computer, they are loaded into the memory making the use of memory forensics of high importance. Each program or data which is created, examined, or deleted is stored in the RAM. 

 The information that can be acquired from RAM includes images, all web-browsing activity, encryption keys, network connections, or injected code fragments. 

According to ("The Importance of Memory Forensics", 2017) Attackers can develop malware which only resides in the memory, rather than the disk, making it virtually invisible to standard computer forensic methods. This makes the need of memory forensics tools in high demand. The importance of memory forensics cannot be stressed enough, especially when collecting evidence in an attack and finding the attacker. The examination of volatile data found only in the RAM; offers insight to experts they would otherwise not have.
 
References: 

The Importance of Memory Forensics. (2017). Retrieved 20 May 2020, from https://lifars.com/2017/06/memory-forensics-tools/ 

Comments

Popular posts from this blog

Chain of Custody - OJ Simpson case

File Carving or Data Carving

Legal Issues with Social Networking