Measuring the Effects of Document Size on RAM Artifacts: A Memory Forensics Approach

Category of Work

Conference

Title of Conference/Lecture Series

3rd Intelligent Cybersecurity Conference (ICSC)

Abstract

Cybercrimes have significantly increased due to the rapid adoption of software and technology in almost every aspect of our lives. The main memory or RAM of a computing machine is often used to provide critical information about the recent system activities, including the running processes, network connections, used passwords, and encryption keys. Moreover, RAM may contain information about the contents of recently used documents and digital files. Therefore, this paper is focused on studying the RAM-based digital artifacts of different sizes of computer documents. It evaluates the amount of document-based digital artifacts that are recovered from the RAM of a confiscated machine. Our methodology analyzes various memory dumps and learns about the digital artifacts in relation to the contents of a document that might be related to a criminal investigation. Two different usage scenarios are assumed: The first assumes that the RAM dump is created while the document is being opened and viewed whereas the second one assumes the RAM dump is created shortly after the document is being closed. Experiments show that the recovered contents are significantly affected by the used document size; the amount of recovered volatile artifacts of a used document is impacted by the original document size. Results show that the ratio of the recovered contents is very close for various document sizes during the same usage scenario. Additionally, closing the document will reduce the amount of recovered content, but still allow for a significant ratio to be considered as evidence of the actual use of the document on the confiscated machine.

First Page

103

Last Page

109

DOI

https://doi.org/10.1109/ICSC60084.2023.10349979

Presentation Date

10-23-2023

Link to Full Text

Share

COinS