Windows 10 Memory Compression in Digital Forensics - Uncovering Digital Evidence in Compressed Swap

Abstract

Digital investigators and incident responders often rely on evidence residing in computer memory and page files on hard drives. Artifacts such as browsing history, image thumbnails and shell commands can answer important questions in digital investigations. Windows 10 introduces memory compression, which compresses inactive parts of computer memory, leading to obfuscation of potentially important artifacts. In this thesis, the student proposes principles and investigates methods for decompressing the parts of memory compressed by theWindows 10 operating system. The goal of the thesis is to create a method for decompressing and de-obfuscating potentially important information from compressed data in memory samples and page files, and making it available to the forensics community. Memory compression in digital forensics ofWindows 10 is a previously unsolved problem. Through research and experiments, the student has created a proof-of-concept tool with these capabilites, called ”MemoryDecompression”. The tool is tested on data from two scenarios that involves recovering strings that has been compressed and obfuscated by the memory manager. The results show that strings are in fact being obfuscated through memory compression. The tool was submitted to the Volatility Plugin Contest as a contender, and ended up on 2nd place. This is presented as an indicator of quality and potential value. It also brings attention to the issues of memory compression, and makes the tool available to the forensics community. The results, the impact and the weaknesses of the applied experiments are discussed. Finally, the thesis suggests future work in this subject, which includes further research on Windows memory manager, and further development of MemoryDecompression tool.