Gadgets, Games, Software, News -Techno Nerd

When accessing volatile memory one of the first things a computer forensics investigator may recall is the basic scientific principle that the very act of observing something changes it. Certainly there is no exception to this principle in the case of accessing volatile memory.

The evidence dynamics effects of loading program code in memory, or even moving the mouse in a Windows-based operating system, needs to be understood. As described earlier in this chapter, starting an application will load some or all of the programs’ code pages into physical, and possibly virtual, page memory on disk.

The loading of code pages in memory alters the memory data structures, if in physical memory only, and alters the system’s disk if any code is loaded into logical page memory. In each case, not only is a change being made but valuable evidence could quite possibly be displaced by the actions.

In Windowsbased operating systems, the simple act of moving a mouse accesses dynamic registry hives. Brian D. Carrier and Joe Grand presented their paper, “A Hardware-based Memory Acquisition Procedure for Digital Investigations” in the February 2004 Digital Forensics Investigation Journal [Carrier01].

Related posts:

1. Operating System
2. Volatile Data in Routers and Appliances (2)
3. Volatile Data in Routers and Appliances
4. Volatile Data in Routers and Appliances (3)
5. Operating System (2)

Tags: computer, data, tips, volatile