Forensic Analysis of Physical Memory and Page File
Abstract
With the passage of time, the field of computer forensics is maturing and the traditional
methodology of disk forensics has now become a standard. In the same manner
volatile data forensics is also getting serious attention from forensic investigators and
researchers. Physical memory is an integral part of volatile data forensics. It can provide
a forensic examiner with wealth of information like passwords, encrypted keys, typed
commands, web addresses, shared and executable files, currently running processes and
terminated processes, open ports and active connections. This thesis explores the forensic
analysis of physical memory and page file in search of sensitive data using the currently
available tools. Experiments are carried out in virtual environment on Windows XP operating
system. The immediate purpose of this thesis is to study the impact of increased
memory size, operating system and applications on the retention of sensitive data in today’s
computers. We will also explore the capabilities and limitations of the currently
available tools for the acquisition and analysis of memory and page file.