Voletile Memory Investigator

While static examination of computer systems is an important part of many digital forensics investigations, there are often important system properties present only in volatile memory that cannot be effectively recovered using static analysis techniques, such as offline hard disk acquisition and analysis. An alternative approach, involving the live analysis of target systems to uncover this volatile data, presents significant risks and challenges to forensic investigators. Memory is the most important part in doing an investigation in a forensic manner sound. The volatile information is the most important part of the computer to conduct a digital investigation as it contains a lot of information from any active current user. The acquisition of volatile memory from a compromised computer is difficult to perform reliably because the acquisition procedure should not rely on untrusted code, such as the operating system or applications executing on top of it. This paper will compare different tools of memory investigator and present a procedure for acquiring volatile memory. Finally, it analyses which is suitable to be used to retrieved different kind of information from the memory.