Indian Journal of Science and Technology

Abstract

Objectives: To evaluate the performance of different tools that acquire, analyze and recover the evidences of crime from volatile memory. A comparison between different tools is presented with the aim of generating better understanding of the tools employed. Methods: Volatile memory stays for a very short period and that is why it is always hard to analyze such memory. It contains much useful information such as passwords, usernames, running processes, etc. Acquiring, analyzing and recovering are the three major steps for memory forensics. Experiments are performed with different tools to understand the procedure of acquiring, analyzing and recovering important evidences. Findings: The strengths and drawbacks of all the tools are analyzed that providesa better understanding of the working of the tools in specific scenarios. The tools like FtkImager and Belkasoft represent the data as a tree structure which makes it difficult to analyze the data. All the tools investigated are not entirely fitted for a particular situation hence; the investigation needs to rely on many tools that can retrieve useful information from the evidences. It is important to know the usefulness of a tool before it is applied to solve a crime. Although most of the tools are successful in providing reasonable evidence, no single tool is sufficient to complete the investigation. Improvements: Most of the tools work as passive agents that is it is left to the discretion of the investigator to analyze the evidences collected through different tools. The tools can be improved by combining it with machine learning techniques. This paper also discusses the improvements that can be done in order to make the working of the tools easier and yielding better results.
Keywords: Acquisition Memory Tools, Analyzing Memory Tools, Digital Forensics, Live Analysis, Memory Forensics, Recovering Memory Tools.