Forensic extraction of user information in continuous block of evidence

Abstract

Extraction of user information in the physical memory of Windows application is vital in today's digital investigation. Digital forensic community feels the urge for the development of tools and techniques in volatile memory analysis. However, there have been few investigations into the amount of relevant information that can be recovered from the application memory. In this research, we present the quantitative and qualitative results of experiments carried out on Windows applications. In conducting this research; we have identified the most commonly used applications on Windows systems, designed a methodology to capture data and processed that data. This research report the amount of evidence that was stored over time and recovered in continuous block of evidence in the physical memory.