Digital Forensics and Incident Response - Third Edition by Gerard Johansen

Author:Gerard Johansen
Language: eng
Format: epub
Publisher: Packt
Published: 2022-11-15T00:00:00+00:00

At the end of this chapter, you will have both an understanding of the methodology and the tools necessary for finding data points, analyzing them, and extracting other evidence for follow-up analysis.

Memory analysis overview

When discussing how to analyze the memory of a system, two terms are used interchangeably. The terms RAM and memory are used to describe the portion of the computer’s internal systems where the operating system places data utilized by applications and the system hardware while that application or hardware is in use. What makes RAM or memory different from storage is the volatile nature of the data. Often, if the system is shut down, the data will be lost.

One change in operating systems that has had a direct impact on memory analysis is the advent of the 64-bit OS. The use of a 64-bit register allows the OS to reference a total of 17,179,869,184 GB of memory. When compared to the 32-bit OS, this is several million times the amount of data previously available. As a result, there is a good deal of data contained within RAM at the time a system is running that is valuable in incident investigation. This includes the following:

Running processes

Loaded Dynamic Link Libraries (DLL)

Loaded device drivers

Open registry keys

Network connections

Command history

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.