Acquire the RAM and Swap Space

What valuable electronic evidence can be found in a computer’s random access memory (RAM)? And what happens to RAM evidence if the computer is powered off? Procedures that specify powering off the target device before acquisition may result in the destruction of valuable electronic evidence such as cryptographic keys, passwords, active network connections, running processes, etc., that are sometimes found in RAM. Some or all of these items may be vital to the investigation and should therefore be considered for acquisition.

Swap space, the area on a hard disk that is used as virtual memory, could also contain evidence since when RAM fills up, virtual memory takes over, and any information that came from RAM could also be stored in the swap space, depending on how the media storage device file system stores data.

What are some special considerations when acquiring electronic evidence from RAM? RAM is volatile, meaning it requires power to store data. When power is removed from the RAM chip, the volatile memory resets and the data is lost. And of course, software programs used to acquire RAM from the target must make every effort to not modify what currently exists in RAM on the target media storage device. The goal is to create a "forensically sound memory snapshot" from RAM (Gruhn & Freiling, 2016).

How does this type of electronic evidence and its acquisition differ from electronic evidence found on media disk storage devices?

References

Gruhn, M., & Freiling, F. C. (2016, March 29). Evaluating atomicity, and integrity of correct memory acquisition methods. Digital Investigation, 16(Supplement), S1–S10. http://ac.els-cdn.com/S1742287616000049/1-s2.0-S1742287616000049-main.pdf?_tid=fc3479a4-6545-11e6-bda8-00000aacb362&acdnat=1471526374_422813fdc08223d632b6cf99a4d66e7e

Non-volatile storage (n.d.). https://www.techopedia.com/definition/15261/non-volatile-storage-nvs

Volatile storage. (2014). https://www.techopedia.com/definition/9966/volatile-storage

Check Your Knowledge

Choose the best answer to each question:

Question 1
Swap file space may contain information from RAM that could be valuable to an investigation. 
True
False
Question 2
If you power off the device, you may lose all evidence current in RAM. 
True
False
Question 3
Executing a live acquisition may alter RAM. 
True
False
Question 4
RAM is similar to other computer files in that it is easily readable by the correct application. 
True
False