Limitations of Volatile Memory Analysis
Fri, 07/25/2014 - 8:51am
Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.
Investigators should expect to extract remnants of recent user activities, parts and bits of chats and conversations, etc. Essentially, only recent information will still be available in the content of volatile memory.
From: Catching the Ghost: How to Discover Ephemeral Evidence through Live RAM Analysis by Oleg Afonin and Yuri Gubanov