Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging

Traditionally, incident responders and digital forensic examiners have predominantly relied on live response for volatile data acquisition. While this approach is popular, memory capacity has rapidly changed, making memory a valuable resource for digital investigation, by revealing not only running tasks, but also terminated and cached processes. This research presents the impact and the limitations of the conventional volatile forensic method, live response, in comparison to the alternative method, memory image analysis. The experiment´s results demonstrate and we discuss the forensic effects of executing a live response toolkit, which alters the volatile data environment significantly in some cases and can overwrite potential evidence. Memory image analysis is also leveraged as an alternative approach that helps mitigate the risk of losing volatile evidence such as terminated and cashed processes, which are ignored during live response. This comparative analysis calls attention the capabilities of both methods in retrieving and recovering volatile data.