RAM Forensics of Various Versions of Windows OS Systems

International Research Journal of Engineering and Technology (IRJET)

e-ISSN: 2395-0056

Volume: 11 Issue: 12 | Dec 2024

p-ISSN: 2395-0072

www.irjet.net

RAM Forensics of Various Versions of Windows OS Systems Dija S, Avila Rose Fernandez Center for Development of Advanced Computing, Thiruvanathapuram, India ---------------------------------------------------------------------***---------------------------------------------------------------------

Abstract - In today's digital landscape, cybercrime

advancements to ensure effective RAM Forensics across different Windows versions.

continues to evolve, making RAM Forensics a critical tool for investigators. This paper focuses on RAM forensics across various versions of Windows operating systems, specifically Windows 10, and Windows 11. It highlights the significance of memory analysis in uncovering vital information such as running processes, dynamic link libraries (DLLs), and command usage. A key component of the research is examining the EPROCESS signature, with notable findings about its behavior in newer versions of Windows. The study presents insights into memory-related artifacts crucial for modern cybercrime investigations, emphasizing how these findings contribute to forensic practices in today's world.

2. LIVE AND OFFLINE FORENSICS In the realm of digital investigations, both Live and Offline Forensics [1] are integral techniques used to uncover and analyze evidence. Live Forensics is employed to capture volatile data from a running system, which is crucial when the system is found powered on at the scene of a crime. This approach allows investigators to gather information that would otherwise be lost when the system is shut down. By acquiring the contents of Random Access Memory (RAM), Live Forensics provides insights into active processes, open files, network connections, dynamic link libraries (DLLs), and command-line inputs. This volatile data offers a realtime snapshot of the system’s activities, revealing evidence related to ongoing operations, such as malware execution or encrypted data in its raw form, along with potential encryption keys. As modern-day cybercrimes often leave little trace on storage media, Live Forensics becomes indispensable for capturing transient data that can link to criminal activities.

Key Words: Memory Forensics, RAM Forensics, EPROCESS Signature, Memory Artifacts

1.INTRODUCTION In a time of rising cybercrime, digital forensics is essential for uncovering vital evidence in investigations. Among the various branches of digital forensics, RAM Forensics has emerged as one of the most important techniques, particularly for identifying volatile data that traditional storage media may not capture. Random Access Memory (RAM) holds transient information such as running processes, dynamic link libraries (DLLs), and executed commands, making it a key source for investigating malicious activities and system behavior.

In contrast, Offline Forensics involves the traditional approach of creating a bit-stream copy of storage media for later analysis. This method focuses on recovering files, including deleted and overwritten data, and analyzing unallocated space in storage. Through file system reconstruction and techniques such as keyword searches and timeline analysis, Offline Forensics helps in retrieving long-term stored data, which may provide crucial evidence. However, it is limited in accessing volatile information that only exists in active memory. By combining the strengths of both Live and Offline Forensics, investigators are equipped to capture a more complete picture of a suspect’s digital footprint. While Live Forensics excels in preserving volatile data from active systems, Offline Forensics ensures thorough analysis of persistent storage. Together, they form a complementary approach, offering a holistic view of digital evidence in cybercrime investigations.

As operating systems evolve, so do the methods for analyzing their memory structures. This paper focuses on RAM forensics across multiple versions of the Windows operating system, with an emphasis on Windows 10 and Windows 11. A core aspect of this research is the analysis of the EPROCESS signature, a memory structure essential for identifying active processes within the system. By investigating the memory-related artifacts of these newer versions of Windows, this study aims to highlight critical differences in forensic approaches and techniques. This paper examines the evolution of RAM Forensics across different Windows versions to provide insights into how memory structures have adapted to changing OS architectures. Understanding these changes is essential for forensic investigators, enabling them to adapt their techniques to analyze memory structures accurately and recover critical evidence. This research highlights the significance of keeping pace with operating system

© 2024, IRJET

|

Impact Factor value: 8.315

3. RAM FORENSICS RAM Forensics is a critical component of Live Forensics, focusing on the acquisition and analysis of Random Access Memory (RAM) to gather essential forensic evidence. RAM contains volatile data such as running processes, network connections, encryption keys, open files,

|

ISO 9001:2008 Certified Journal

|

Page 32