Live Memory Forensics Investigations: A Comparative Analysis

Abstract

—The escalating dependence on information technology for daily activities ensures that cybercrime cases continue unabated. Consequently, the role of cyber forensics investigators is becoming increasingly crucial in addressing the surge of cybercrime incidents. Live forensics investigation, a challenging facet of digital evidence investigation, confronts several limitations. This study focuses on the complexities associated with retrieving digital evidence from volatile memory during live forensics investigations, explicitly comparing the efficacy of extracting digital evidence from DDR2 and DDR3 Random Access Memory (RAM). This study aims to analyze and compare potential variations in evidence acquisition outcomes between the two RAM types by applying three distinct scenarios: identifying registry and network activities, catching malicious codes, and obtaining login passwords on Social Media. The results demonstrate that DDR2 RAM exhibits a lower propensity for concealing digital evidence during live forensics investigations compared to DDR3 RAM. The implications of these findings are discussed, along with suggestions for potential ramifications and avenues for future research.