Volatile Internet evidence extraction from Windows systems

Internet users are increasing day by day and hence browser related evidence provides crucial information regarding a cyber crime. The rate of possible cyber crimes are increased unimaginably with this high usage of popular social networking websites and online internet services for banking, shopping etc. Thus the need for collecting internet browsing related information through a Browser Forensics Analysis is inevitable in a cyber crime investigation. Browser Forensics can be done as part of offline forensics by analyzing browser related files containing cookies, cache and other history information available in the hard disk. But, these files usually stores limited information and its content varies based on user settings. On the other hand, when a live forensics approach is adopted, the prime source of forensically relevant information is physical memory. So, in an internet related cyber crime, the chance of getting crucial information by analyzing physical memory content collected from the Suspect´s machine is very high. This paper presents a methodology for extracting user credentials of popular web applications by analyzing a Windows system´s physical memory content. It helps cyber crime investigators to retrieve usernames and associated passwords used in various web based mail accounts, online banking and shopping sites etc. Another important methodology the paper presents is for the retrieval of high profile browser forensics information related to the suspect´s internet activity by memory dump analysis.