Volatile Memory Acquisition Tools – A Comparison Across Taint And Correctness
Document Type
Conference Proceeding
Publisher
Edith Cowan University
Faculty
Faculty of Health, Engineering and Science
School
School of Computer and Security Science
RAS ID
19275
Abstract
The growth in volatile memory forensics has steadily increased in recent times. With this growth comes a need to test the tools associated with this practise. Although there appears to be a large amount of effort in testing static memory capture tools, there is perhaps less so for volatile memory capture. This paper describes the attempts at categorizing criteria for testing, and then introduces and extends upon a methodology proposed by Lempereur and colleagues in 2012. Four tools (Windows Memory Reader, WinPmem, FTK Imager and DumpIt) are tested against two criteria (impact and completeness). WMR and DumpIt were found to have the least impact, and also showed the greatest accuracy across the tests.
DOI
10.4225/75/57b3bfa7fb867
Access Rights
free_to_read
Comments
Campbell W. (2014). Volatile memory acquisition tools - A comparison across taint and correctness. Proceedings of the 11th Australian Digital Forensics Conference, ADF 2013. (pp. 10-19). Edith Cowan University. Available here