ISSN (Print) : 0974-6846

Indian Journal of Science and Technology, Vol 9(48), DOI: 10.17485/ijst/2016/v9i48/105851, December 2016 ISSN (Online) : 0974-5645

Memory Forensics: Tools and Techniques

Shreshtha Gaur* and Rita Chhikara
Department of CSE/IT, TheNorthCap University, Gurugram, Haryana - 122017, India;
[email protected], [email protected]

Abstract
Objectives: To evaluate the performance of different tools that acquire, analyze and recover the evidences of crime from
volatile memory. A comparison between different tools is presented with the aim of generating better understanding of
the tools employed. Methods: Volatile memory stays for a very short period and that is why it is always hard to analyze
such memory. It contains much useful information such as passwords, usernames, running processes, etc. Acquiring,
analyzing and recovering are the three major steps for memory forensics. Experiments are performed with different tools
to understand the procedure of acquiring, analyzing and recovering important evidences. Findings: The strengths and
drawbacks of all the tools are analyzed that providesa better understanding of the working of the tools in specific scenarios.
The tools like FtkImager and Belkasoft represent the data as a tree structure which makes it difficult to analyze the data. All
the tools investigated are not entirely fitted for a particular situation hence; the investigation needs to rely on many tools
that can retrieve useful information from the evidences. It is important to know the usefulness of a tool before it is applied
to solve a crime. Although most of the tools are successful in providing reasonable evidence, no single tool is sufficient to
complete the investigation. Improvements: Most of the tools work as passive agents that is it is left to the discretion of
the investigator to analyze the evidences collected through different tools. The tools can be improved by combining it with
machine learning techniques. This paper also discusses the improvements that can be done in order to make the working
of the tools easier and yielding better results.

Keywords: Acquisition Memory Tools, Analyzing Memory Tools, Digital Forensics, Live Analysis, Memory Forensics,
Recovering Memory Tools.

1. Introduction The shutting down of the systems could lead to loss to

Digital Forensics is a science of investigating and
recovering evidence from digital devices using different
tools. With the advancement of technology, the cybercrime
rate has increased drastically. To curb the effects of such
crimes digital forensics has gained popularity in recent
years1. Digital analysis can be broadly studied under
two headings a) static or dead analysis where, the target
devices that are to be analyzed are shut down and b) live
analysis where, the system stays in the boot mode and
is kept alive. The traditional static analysis approaches
work by generating bit-by-bit image of the hard disks
after switching off the system and performing detailed
investigation on the collected information2. However
these methods have certain drawbacks.
companies. Another problem faced with static methods
is that modern operating systems3,4 support encryption
which makes traditional approaches unsuccessful. It
is easier to extract cryptographic key directly from
the RAM when the system is live. The live analysis has
become a need with the increase of cyber crime because
individuals have started deleting the contents as soon as
possible without saving the contents on the hard drive.
Hence in order to retrieve more valuable information the
forensic analyst needs to examine the volatile memory.
This science of examining the volatile or live memory is
referred to as Memory Forensics5.
The backbone of any type of digital forensic is the
step by step analysis and documentation. The first step
is to identify the suspicious elements that can be the

* Author for correspondence

 Memory Forensics: Tools and Techniques
cause of harmful effects. Thereafter tools, techniques and
search warrants need to be identified. A very important
step for forensic analyst is to develop a strategy in order
to catch the criminal without damaging the evidences.
The collected evidences then need to be preserved either
physically or digitally. The next step involves recording
of the evidences collected during investigation. Finally,
examining the collected evidences in order to gain in-
depth knowledge of the crime6.
Memory forensics is an emerging science of forensics
and there are many tools that can be helpful in order to
retrieve the suspicious activity. Memory forensics or
Live memory acquisition has not got much attention in
the previous years because of the typical nature of this
memory that is its volatile nature. It not only provides
sufficient information of running processes, applications,
passwords, login credentials, hidden data etc. but also
about terminated and cache processes7. Live Memory
Analysis can bevery useful in analyzing the traces left by
Malware. In order to perform live memory acquisition,
the first step is to capture the live memory (ie memory
dump). Memory dump stores the contents the user has
used and can be useful in order to examine the cause of
system crash. However in memory forensic the acquisition
and analysis takes place at the same time raising questions
on the authenticity of the data8.
The data in volatile memory is always in flux and
it is very hard to guess that for how long the data will
persist in the memory. Intuitively, it is assumed that the
metadata about processes and other objects can survive
in physical memory for more than 14 days while the
system is in use. But no confirmation can be given in this
regard9. Researchers have applied different techniques for
memory forensics such as acquiring memory image10 and
extracting memory page file11. In another work, researcher
has explored counter measure tools and classified root
kits in three levels which are application, library and
kernels12. In another method author has given ways of
collecting files associated with virtual machine13. Authors
have successfully worked with crime data using machine
learning algorithms14. Another area in digital forensics
has been explored by researchers with machine learning
techniques to search for patterns which indicate hidden
secret messages in multimedia carriers15. The machine
learning techniques like classification and clustering have
also been successfully applied in other upcoming areas
2 Vol 9 (48) | December 2016 | www.indjst.org
like medical16 and big data mining17. Some of the authors
have also worked with meta-heuristic techniques18 for
cloud computing which is another upcoming area. Major
challenges faced with cloud forensics19 is that it is not
possible to capture the evidence as a single snapshot,
hence information such as time and volume related to
snapshots need to be maintained in a table. Another
technique employed by authors is time analysis20 on
Windows operating system to investigate forensic crime.
However memory forensics is still in its infancy and
machine learning or optimization techniques have yet to
be explored for this dynamic area.
In this paper we provide different tools for acquiring,
analyzing and recovering the evidence from volatile
memory. This paper also discusses the strengths and
weaknesses of each tool and provides suggestion for
improving the tools.
2. Tools and Techniques
Memory Forensics can be studied broadly under three cat-
egories:
• Acquisition of memory
• Analyzing the acquired data
• Recovering the evidence.
2.1 Acquisition of Memory
Collecting the “memory image” from the live memory
is not an easy task. As the name suggests the data we
are acquiring is from the live memory so we need to
be very careful as little de-allocation can trigger heap
defragmentation. There are various tools & techniques for
Windows used to acquire the volatile memory in order to
extract malicious programs in it. The tools are easy to use
and can yield interesting results.
2.1.1 Belkasoft Live RAM Capturer
Belkasoft Live RAM Capturer21 is a free volatile memory
forensic tool to capture the live RAM as depicted in Figure
1. It is equipped with 32-bit and 64-bit kernel drivers
allowing the tool to operate in the most privileged kernel
mode. The memory dump will be stored with .mem
extension and later it the memory dump can be analyzed
using Belkasoft evidence centre tool.
Indian Journal of Science and Technology
 Shreshtha Gaur and Rita Chhikara

Figure 1. Acquiring memory image using Belkasoft Live RAM Capturer.

Figure 2. “Capture memory” option is selected to acquire memory image.

2.1.2 Ftk Imager captured memory dump. It stores the memory dump with
memextentionas depicted in Figure 3 which later can be
The Ftk Imager22 creates a bit-by-bit image, including
analyzed using wxHexEditor tool or some another tool.
unallocated space and slack space. It helps to capture the
live RAM as shown in Figure 2 but cannot analyze the

Figure 3. Acquiring memory image process with FtkImager.

Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology 3
 Memory Forensics: Tools and Techniques

a) 2.1.3 Madiant Memoryze
MadiantMemoryz23 is free memory forensic software that
helps incident responders find evil in live memory. It can
acquire as well as analyse the captured memory. This tool
can acquire all running processes, all drivers, and full range
of system memory image as demonstrated in Figure 4.
b) 2.1.4 DumpIt
It is a very interesting tool for those who want to capture
the RAM of some suspicious or under observation person.
This tool can be stored on a pen drive and takes less than
a minute to acquire the live RAM. When the pen drive
is attached and DumpIt24 is executed on that person’s
computer, only a confirmation question (ie. Asking yes or
no) is prompted as shown in Figure 5 and .mem file of
that person’s live RAM gets stored in the pen drive.
2.2 Advantages and Disadvantages of
Acquisition Tools
The various advantages of tools applied for acquiring the
important information are given in Table 1. This provides
a better insight in all the tools discussed.
2.3 Analysis of Acquired Memory Dump
After the acquisition of the memory image, now the
memory image will be analyzed. In this phase the
evidences need to be analyzed very carefully.

Figure 4. Acquiring memory image using MadiantMemoryze.

Figure 5. Acquiring memory image using DumpIt.

4 Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology
 Shreshtha Gaur and Rita Chhikara

Table 1. Advantages and disadvantages of the tools

Sr. No Tools Advantages • Disadvantages
1 Belkasoft Live RAM • Easy to use • After capturing memory
Capturer image, another belkasoft
• Acquire all the hidden data program need to be down-
loaded
• Does not de-allocate data from
memory
2 FtkImager • Easy to use • No progress bar

• Creates a case log file • No multi-tasking

• Fast searching & EFS decryption • De-allocates data from

memory
3 Madiant Memoryze • Can acquire running processes, • Does not work even after
drivers etc installation

• Can crack passwords if used with • Difficult to use

dumpIt
4 DumpIt • Can be used even by non-technical • De-allocates data sometimes
people

• Easy to use & acquire the memory

image quickly

2.3.1 Belkasoft Evidence Centre 2.3.2 wxHexEditor

Belkasoft21 is one of the most interesting tools till date.
The .mem file created by the Belkasoft LIVE Ram capturer
is opened in this tool and then it can easily analyze the
memory dump. It is easy to understand and use and do
not require any specific knowledge to run it. In Figure
6 clearly depicts the method of loading the captured
memory image file from Belkasoft live RAM capturer.
Loading the data sources needed to carve is shown in
Figure 7. Finally the carved data of the captured memory
image is analyzed as depicted in Figure 8.
The memory dump captured in the FtkImager can be
analysed using wxHexEditor25. It is a free tool that can
analyse the memory dump. It has two parts that is on the
right side the string values of information is displayed
and on the left side the hex values of strings are displayed
which can be analyzed. In Figure 9 displays the loading
of the captured memory image from FtkImager to be
analysed by wxHexEditor.

Figure 6. Loading of the captured memory image file from Belkasoft live
RAM capturer.

Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology 5
 Memory Forensics: Tools and Techniques

Figure 7. Loading the data sources needed to carve.

Figure 8. Analysing the carved data of the captured memory image.

Figure 9. Loading the captured memory image from FtkImager.

6 Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology
 Shreshtha Gaur and Rita Chhikara

The pattern can be searched by entering some words
in search option using this tool. In Figure 10 shows the
results of searching the word “gmail”.
The result of finding the word gmail is as shown in
Figure 11. The words matching “gmail”shall be displayed
as depicted in Fig. 11 and thereafter it can be analyzed.
The wxHexEditor can be utilized to retrieve usernames
and passwords as shown in Figure 12.
RAM. It is used to analyze the disk images and perform
in-depth analysis of file systems. Figure 13 shows the
working of Autopsy tool.
2.4 Advantages and Disadvantages of
Analysis Tools
The advantages and disadvantages of analysis tools
mentioned in section 2.3 are discussed in Table 2.

2.3.3 Autopsy
2.5 Recovering Data using FtkImager
Autopsy26 is also a free tool used to analyze the captured Sometimes, the attacker deletes some sensitive information

Figure 10. Searching and Analyzing the captured memory image for
evidences.

Figure 11. Analyzing the captured memory image-gmail account.

Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology 7
 Memory Forensics: Tools and Techniques

Figure 12. Usernames and passwords can be retrieved.

Figure 13. Analyzing the memory image and finding evidences using
Autopsy.

Table 2. Advantages and disadvantages of the tools

Sr. Analyzing Tools Advantages Disadvantages
No
1 Belkasoft Evidence Centre Can include all the data sources Do not read the dump
Easy to use & navigate
2 wxHexEditor Easy to use and understand Can be a little slow while
Can load the acquired image searching
faster Can also take some amount
of time while searching this
big data
3 Autopsy Can analyze disk images Can be a little slow
In-depth analysis of file systems

8 Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology
 Shreshtha Gaur and Rita Chhikara

or images from the system in order to protect it. But such
deleted information can be recovered. Although, it is a
very tiring task and one needs full concentration into it
but the results are sometimes very interesting.
Suppose the attacker, used the image of a puppy and
later deleted it from the system. Now, using FtkImager22
the image can be recovered as shown in the snapshots in
Figures 14,15,16 and 17.
The attacker saved the picture and later removed it
from the file as well as from the recycle bin.
The FtkImager is executed and the files in the
unallocated space are explored to recover the deleted. The
file get saved with different name, hence all the files have
to be opened as FtkImager does not provide any searching
mechanism.

Figure 14. Saving the image from net in the desired destination.

Figure 15. Checking the image visibility in FtkImager.

Vol 9 (48) | December 2016 | www.indjst.org Indian Journal of Science and Technology 9
 Memory Forensics: Tools and Techniques
Figure 16. Deleting the image from the destination path and also from the recycle
bin.
Figure 17. Deleted image recovered.
3. Discussion
Memory forensics is a vast field and the work done till
date is appreciable. In earlier times researcher’s focus was
on hardware acquisition but over last decade software
acquisition has marked its presence, however volatile
memory forensics is still in its infancy. There are many
10 Vol 9 (48) | December 2016 | www.indjst.org
tools freely available that assist in analyzing the volatile
memory but still there exists some gaps which need to be
bridged.
In FtkImager and Belkasofttools the data to be
analyzed is viewed as a tree having many branches
thus, analyzing the data extracted becomes a hard task
and time consuming too. Also, it does not ensure 100%
Indian Journal of Science and Technology

results sometimes causing unsuccessful searches. The
tools studied in this paper are only designed for finding
some particular part of evidence and not in assisting the
investigation thus, the investigation takes a good amount
of time to solve. This basically means that investigator
needs to apply intellect to find evidences and the tool does
not provide intelligent information.
Another major challenge faced in area of forensics is
that many tools need to be employed to get results and
one tool is not sufficient during the whole process of
investigation. The tools consume lot of time in retrieving
and recovering sensitive information which could cause
undue harm and since information does not reside for
long in memory important evidence could be lost.
4. Conclusion
Memory forensics is an emerging field and has lot of
scope. There are many tools existing to tackle cybercrime,
however the efficiency and effectiveness of tools is not
sufficient to handle the tremendous increase in cyber
crime. This field has a very bright future despite fast
growth in digital forensics in last decade. The focus
towards memory forensics is a major step towards curbing
cybercrime at fast pace. This paper has discussed some of
the available tools for volatile memory. The disadvantages
and advantages of tools for performing three major
operations of memory forensics; acquiring, analyzing and
recovering have been discussed.
There is tremendous future scope in the area of
memory forensics. The tree like structure generated by
some tools can be modified to reduce time and produce
better results. Also focus should be on developing a single
tool should that can successfully acquire and analyse the
memory.
5. References
1. Reith M, Carr C, Gunsch G. An examination of Digital Fo-
rensics Models. International Journal of Digital Evidence.
2002; 1(3):1–12.
2. Dave R, Mistry NR, Dahiya MS. Volatile Memory Based
Forensic Artifacts and Analysis. International Journal for
Research in Applied Science and Engineering Technology.
2014: 2(1):120–4.
3. Microsoft Corporation. Bitlocker drive encryption. 2016
August 30. Available from: http://technet.microsoft.com/
en-us/library/cc73154928WS.1029.aspx.
Vol 9 (48) | December 2016 | www.indjst.org
Shreshtha Gaur and Rita Chhikara
4. Saout C. dm-crypt: A device-mapper crypto targe. 2016
September 05. Available from http://www.saout.de/misc/
dm-crypt/.
5. Hay B, Nance K, Bishop M. Live analysis: Progress and
Challenges. IEEE Security and Privacy. 2009:7(2):30–7.
6. Wang L, Zhang R, Zhang S. A model of computer live fo-
rensics based on physical memory analysis. Proceedings of
1st IEEE International Conference on Information Science
and Engineering (ICISE). 2009. p. 4647–9.
7. Aljaedi A, Lindskog D, Zavarsky P, Ruhl R, Almari F.
Comparative Analysis of Volatile Memory Forensics: Live
Response vs. Memory Imaging. Proceedings of 3rd IEEE
International Conference on Privacy, Security, Risk and
Trust. 2011.p. 1253–8.
8. Petroni NL,Walters A, Fraser T, Arbaugh WA. FATKit: A
Framework for the Extraction and Analysis of Digital Fo-
rensic Data from Volatile System Memory. Digital Investi-
gation. 2006;3(4): 197–210.
9. Gianni F, Solinas F. Live Digital Forensics: Windows XP vs
Windows 7. Proceedings of 2nd IEEE International Confer-
ence on Informatics and Applications (ICIA). 2013. p. 1–6.
10. Balogh S, Pondelik M. Capturing encryption keys for dig-
ital analysis. Proceedings of 6th International Conference
on Intelligent Data Acquisition and Advanced Computing
Systems (IDAACS). 2011. 2, p. 759–63.
11. Savold A, Gubian P. Towards the virtual memory space
reconstruction for windows live forensic purposes, Pro-
ceedings of 3rd IEEE International Workshop on System-
atic Approaches to Digital Forensic Engineering. 2008. p.
15–22.
12. Carrier BD. Risks of live digital forensic analysis. Commu-
nications of the ACM. 2006; 49(2): 56–61.
13. Meera V, Isaac MM, Balan C. Forensic acquisition and anal-
ysis of VMware virtual machine artifacts. Proceedings of
IEEE Automation, Computing, Communication, Control
and Compressed Sensing (iMac4s). 2013. p. 255–9.
14. Agarwal N, Gaur D. Classification of crime data using Rap-
id Miner. International Journal of Applied Engineering Re-
search. 2015; 10(5): 27517–21.
15. Chhikara RR, Sharma P, Singh L. A hybrid feature selection
approach based on improved PSO and filter approaches
for image steganalysis. International Journal of Machine
Learning and Cybernetics. 2015; 7(6):1195–206.
16. Shenbagarajan A, Ramalingam V, Balasubramanian C, Pal-
anivel S. Tumor diagnosis in MRI brain image using ACM
Segmentation and ANN-LM classification techniques, In-
dian Journal of Science and Technology. 2016 Jan; 9(1):
1–12.
17. Sajana T, Sheela Rani CM, Narayana KV. A Survey on clus-
tering techniques for Big Data mining. Indian Journal of
Science and Technology. 2016 Jan; 9(3):
18. Hamid HM S, Shafie AL M, Yahaya C, Muhammad A S. An
appraisal of meta-heuristic resource allocation techniques
for IaaS Cloud. Indian Journal of Science and Technology.
2016 Jan; 9(4):1–12.
Indian Journal of Science and Technology 11
 Memory Forensics: Tools and Techniques
19. Deevi R. R, Sk. Nazma S, Pasala L. S. Challenges of Digital
Forensics in Cloud Computing Environment, Indian Jour-
nal of Science and Technology. 2016 May; 9(17):1–7.
20. Sungjin L, Sunghyuck H. Analysis of Time Records on Dig-
ital forensics. Indian Journal of Science and Technology.
2015 Apr; 8(S7):365–72.
21. Belkasoft tool. 2016 August 03. Available from: https://
belkasoft.com/ec.
22. Ftkimager tool. 2016 August 24. Available from: https://ac-
cessdata.com/product-download/digital-forensics/ftk-im-
ager-version-3.2.0.
12 Vol 9 (48) | December 2016 | www.indjst.org
23. Memoryze tool. 2016 September 17. Available from: https://
www.fireeye.com/services/freeware/memoryze.html.
24. Dumpit tool.2016 October 27. Available from: http://qp-
download.com/dumpit.
25. Wxhexeditor tool.2016 August 25. Available from: https://
sourceforge.net/projects/wxhexeditor/.
26. Autopsy tool. 2016 Sep 25. Available from: http://www.
sleuthkit.org/autopsy/download.php.
Indian Journal of Science and Technology