A comparison of windows physical memory acquisition tools

Memory forensics analysis is an important area of digital forensics especially in incident response, malware analysis and behavior analysis (of application and system software) in physical memory. Traditional digital forensics, such as investigating non-volatile storage, cannot be used to establish the current state of the system (including network connections) or for analysis of malwares that use evasion techniques like encryption. Accurate activities of a program can only be analyzed when it is loaded in memory for execution, for which volatile memory forensics analysis is used. The success of memory forensics depends on the accuracy and completeness of memory image, which means all sections of memory (both kernel and user space) must be captured accurately. Several tools with varied capabilities and accuracies are available for capturing the memory. In order to determine the capabilities and accuracy of Windows volatile memory capturing tools, we have analyzed several different Windows volatile memory acquisition tools and have also compared their results. For analysis of captured memory, we used three different memory analysis tools. The resulting comparisons can be used by investigators to select tools as per their need.