Forensic Analysis of Physical Memory and Page File

Abstract

With the passage of time, the field of computer forensics is maturing and the traditional methodology of disk forensics has now become a standard. In the same manner volatile data forensics is also getting serious attention from forensic investigators and researchers. Physical memory is an integral part of volatile data forensics. It can provide a forensic examiner with wealth of information like passwords, encrypted keys, typed commands, web addresses, shared and executable files, currently running processes and terminated processes, open ports and active connections. This thesis explores the forensic analysis of physical memory and page file in search of sensitive data using the currently available tools. Experiments are carried out in virtual environment on Windows XP operating system. The immediate purpose of this thesis is to study the impact of increased memory size, operating system and applications on the retention of sensitive data in today’s computers. We will also explore the capabilities and limitations of the currently available tools for the acquisition and analysis of memory and page file.