Authors: Stavroula Karayianni; Vasilios Katos; Christos K. Georgiadis
Addresses: Information Security and Incident Response Unit, University Campus, Democritus University of Thrace, Xanthi 67100, Greece. ' Information Security and Incident Response Unit, University Campus, Democritus University of Thrace, Xanthi 67100, Greece. ' Department of Applied Informatics, University of Macedonia, 156 Egnatia Str., GR 54006, Thessaloniki, Greece
Abstract: In this paper, we challenge the widely accepted approach where a first responder does not capture the RAM of a computer system if found to be powered off at a crime scene. We investigate the presence of confidential data in RAM such as user passwords. Our findings show that even if the computer is switched off but not removed from the mains, the data are preserved. In fact, when a process is terminated but the computer is still operating, the respective data are more likely to be lost. Therefore, capturing the memory could be as critical on a switched off system as on a running one.
Keywords: memory forensics; order of volatility; data recovery; password harvesting; volatile memory; confidential data; RAM; user passwords; random access memory; memory capture; security.
International Journal of Electronic Security and Digital Forensics, 2012 Vol.4 No.2/3, pp.154 - 163
Received: 30 Nov 2011
Accepted: 15 Mar 2012
Published online: 05 Aug 2012 *