Advanced Volatile Memory Forensics through Autopsy Integration

  • Asif Ibrahim Department of Mathematics, The University of Lahore, Lahore.
  • Syed Khurram Hassan Institute of Quality and Technology Management, University of the Punjab, Lahore, Pakistan.
  • Saima Sheikh Admin Pakistan Association of Advancement of Sciences
DOI: https://doi.org/10.54692/ijeci.2024.0802195
Keywords: Memory analysis, Digital forensics autopsy, RAM capture, Forensics imaging

Abstract

The main goal of this study is to design a novel plugin for the Autopsy forensic framework to enable forensic analysts to identify and extract volatile memory from small-scale digital devices. This includes network peripherals and Internet of Things devices, smartphones, and industrial-control systems. Given the importance of volatile memory to digital crime and cybersecurity investigations, an accurate and reliable tool is needed to non-destructively acquire forensic copies of the evidence. In the context of small-scale devices, this study is of acute importance to bridge the gap that exists in current forensic research and forensic practice, using separate tools can be challenging due to compatibility issues and the complexity of managing multiple system. In conclusion, the developed Autopsy plugin, which has been termed the MemoryIntegrator, seamlessly harmonizes with Autopsy forensic framework and is designed to work together with Volatility tool, specializing in detailed memory analysis. Consequently, the following main outcomes result from the experimentation and application of the plugin: Promotes the default forensic activity of Autopsy by providing the analysts with a way to swiftly and directly harvest and evaluate volatile data from diverse small scale digital devices. The implementation of the plugin ensures that the integrity of the memory data is maintained throughout the extraction and analysis process. This is facilitated by cryptographic hash validations that confirm that there are no changes in the data from the extraction to the point of analysis. The plugin maintains the integrity of the memory data from the time of extraction to the time of analysis using cryptographic hash validations which verifies that these data has not been manipulated at this point. MemoryIntegrator outmatched all the forensic tools herewith because conducting forensic test back at home verified its superiority in terms of the extraction of data from memory speed and the authenticity and formula which it uses in analysis. In the modern world, this is critical to investigate digital crimes and incidences that affect cybersecurity.

Published
2024-06-14
Issue
Vol. 8 No. 2 (2024): International Journal for Electronic Crime Investigation
Section
Articles