Limitations of Volatile Memory Analysis

Fri, 07/25/2014 - 8:51am
Realistically, Live RAM analysis has its limitations, lots of them. Many types of artifacts stored in the computer’s volatile memory are ephemeral. While information about running processes will not disappear until they are finished, remnants of recent chats, communications, and other user activities may be overwritten with other content any moment the operating system demands yet another memory block.
Investigators should expect to extract remnants of recent user activities, parts and bits of chats and conversations, etc. Essentially, only recent information will still be available in the content of volatile memory.

Share this Story

You may login with either your assigned username or your e-mail address.
The password field is case sensitive.