Memory Forensic Data Recovery Report: RAM Cooling Methods

Verified

Added on 2022/09/27

AI Summary

This report delves into the critical field of memory forensics, specifically exploring data recovery techniques utilizing RAM cooling methods. The research, building upon previous work by Gupta & Nisbet (2016), investigates how forensic investigators can overcome challenges like locked accounts and encrypted files to extract valuable data from volatile memory. The study examines the effectiveness of various RAM cooling methods, including freezing spray, ice, and liquid nitrogen, and their impact on data retention and recovery. Experiments conducted in 2016 demonstrated the successful recovery of data, including web browsing history and even a TrueCrypt encryption key, using RAM freezing techniques. The report highlights the significance of RAM forensics in digital investigations, emphasizing the importance of preserving and analyzing RAM data, especially in cybercrime cases, and the potential for these methods to aid in decryption and evidence gathering. While acknowledging limitations, the research underscores the potential of RAM freezing as a crucial tool for forensic investigators.

Running head: RESEARCH ANALYSIS AND CRITICAL REFLECTION
Research analysis and Critical Reflection
Name of the Student:
Name of the University:
Author note:

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

Research analysis and critical reflection
Introduction to the research:
The memory forensic, which is also termed as the memory analysis is referred to the
analysis of the data which are stored in the memory of the computers. These data are volatile in
nature and can be misused if not taken care of. The report aims to explain the topic, that is
Memory Forensic Data Recovery Utilizing the RAM Cooling Methods. The research was
previously conducted by the Gupta & Nisbet, in the year 2016. This is one of the most
recognised part of the digital forensic that utilises the data available on the devices in order to
investigate the matters related to the cybercrime. RAM or the Random Access Memory is one of
the essential part of the system where important data like the web browsing history, current
running programs and the others are stored. Here the researchers aims to analyse the RAM in
order to get hold of the valuable information regarding the forensic investigations.
It is often seen that the RAM is overlooked when the forensic team looks for the
evidences in the hard-drives and other storage spaces in the computers. However, the research
has found out that by turning the system or the computer off abruptly may cause the loss of the
RAM data which is very important while the investigation is carried out (Zhang et al. 2018). The
purpose of the research is to analyse the ways in which the memory forensic team can utilize the
RAM data by recovering it with the method of freezing.
Discussion:
RAM or the Random Access memory is one of the basic components of the computers, or
any digital information system. One of the most important features of the RAM is the presence
of the De-multiplexing and multiplexing circuits which connects the lines of the data such that

the storage can be addressed for the reading and the writing operations can be carried out. In the
contemporary system of the information technology, the integrated circuits plays the part of the
RAM, which is used for the storage access and read write operations. The forensic investigators
get hold of the Radom access memory when a cyber-crime is reported in any case or the
organization (Joseph & Norman, 2020).
With the help of the research, the researcher wanted to establish the fact that the RAM
data is one of the most important source of the information in the digital forensics. Hence, RAM
forensic can be considered significantly important. The researchers’ studies numerous methods
in which the data present in the RAM can be gathered such that the retention data can be
analysed and compared with the usage of various methods.
With the advancement of the technology, the security of the data has become one of the
major concern of the information system. The researcher here has laid emphasis upon the
methods which can be utilised for the process of the investigation of the data present in the
system. As per the researcher, one of the major problem in this field is retrieving or recovering
the data from the hard drive of the computer which has been locked by the users with passwords.
These computers once shut down can remove the important data from the system which are
sensitive and volatile in nature.
The researcher has encountered one more problem in the research on the presented topic,
which is the usage of the cryptography (Mukhopadhyay, 2017). This is the technology which has
been used highly for securing the sensitive data all around the world. The technology is regarded
as one of the most common part of the information now a days. However, the technology that is
developed for the prevention of the cybercrime has become one of the greatest ways of
protecting the cybercriminals as well. The technology can be used by the criminals in order to

protect their personal data which may consist of the primary crime evidences. At times it is often
found that the entire drive is encrypted which makes the work of the investigator much more
difficult. However, the digital forensic team can always seize the data but can never decipher it
without the assistance of the user of the data itself (Cheng, et al., 2017).
The research intends to discuss about the areas of the RAM forensic, which is one of the
most useful and significant part of the digital forensic. It says that RAM freezing techniques can
be used for the purpose of the digital forensics and the memory forensic for gathering the data
that has been involved in cybercrime. The researcher discusses about an experiment which was
conducted in 2016, where the RAM of the computer was frozen with freezing spray inside a
computer while it was still running (Osbourne, 2013). The purpose of the experiment was to
check that whether the RAM can retain the data inside it and produce an original file or image
unscrambled from the cold after it has been brought back to the normal temperature. The
experiment also demonstrated the recovery process of the data and was to check whether the
forensic investigators could remove the RAM and still maintain the integrity of the data for a
sufficient amount of the time for the forensic analysis to scan the contents.
The researcher discusses the experiment in brief and determines that the RAM freezing
Experiment that was conducted for 10 minutes was a success. When the RAM was removed for
10 minutes, and re inserted back without any cooling, it was seen that, almost the entire content
was deleted. After this, the same experiment was performed but this time the RAM was cooled
with the liquid nitrogen. This showed almost complete recovery of the data that is present in the
RAM. But this was not possible for an on-field investigator. However, freezing spray and ice are
cheap and easily available for use.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

As per the researcher, the experiment revealed that ice recovered almost the same amount
of the data as that done by the liquid nitrogen, while freezing spray recovered a bit less at
approximately 96.45 %.
The next part of the experiment was to test the amount of the data recovered when the
ram was kept frozen in the liquid nitrogen for the different length of time. Earlier it was seen that
freezing in liquid nitrogen for 10 minutes allows up to 99.81 % of the data to be recovered. If the
RAM is kept frozen for one hour, then approximately 98.84 % of data gets recovered. If the ram
is frozen for 2.5 hours then around 93.95 % of the data gets recovered (Hosseini, Jahangir &
Kazemi, 2019).
The researcher discusses about the data which were being able to recover form the
Experiment on the RAM freezing. This includes all the web page activities that are performed by
the user of the system, inclusive of all the web pages that were opened, visited and closed and all
the processes that were started and stopped. The primary idea was to check whether the
TrueCrypt Password can be accessed from the Random Access Memory of the system. In all the
experiments it was found out that it was possible to recover an AES Encryption key of 52 bits
memory which was used by the TrueCrypt to encrypt files. This can be extremely beneficial and
can be utilized by the forensi9c researcher to decrypt files and read them. These encrypted files
usually contain the most important information necessary for a forensic investigation to take
place. But the entire data could not be recovered due to certain minor issues. All though the
forensic investigators will get access to the majority of the data, but they must keep this mind
that which method should be utilized for the extraction of those data and the amount of time
which should be utilized for keeping the RAM frozen considering the amount of data that will be
lost due to the freezing process (Taylor, Turnbull & Creech, 2018).

The research can be concluded as a success as one of the major loop hole in the literature,
that is decryption of the encrypted data from the hard disk of the computer that has be taken
down by the team of the forensic for the information extraction, has been solved. With this
technique of the RAM freezing for the extraction of the data, the encryption key can be obtained
as well which will be help in the recovery of the data and will make it easier for the investigators
to continue their investigation (Meyers, Ikuesan & Venter, 2017).
For the analysis of this data, the researcher has conducted the qualitative data analysis
with the help of the existing experiments and the literary works that has been conducted
previously. This experiment can be considered to be a success due to the approach of the
research. However, I think that the research could have been done more thoroughly. The impact
of keeping the data in the freezing solutions, the impact of the experiment on the data that has
been stored is not explained in details (Hashim et al., 2017). The researcher here barely discusses
about the methodologies that he or she has undertaken while conducting the research, making it
difficult for the readers to understand the way in which the research has been conducted and the
analysis of the data has been done. The main goal of the research was to find the ways in which
the RAM freezing technology can be utilized for the extraction of the data for the purpose of the
investigation and that has been successfully done.
The researcher has concluded by saying that the aim of a forensic investigation is to
analyse and acquire the information collected from a computer, such that it can be used in a
particular investigation (Daryabar et al, 2016). The more detailed information that is gathered
form a particular device the better is the chance of the investigation being a success. Previously
without these experiments being known, the only ways in which information can be stored from
an operational computer it to check the ongoing programs, applications and processes on the

display of the computer and analyse them from that computer itself, and after that cutting of the
power supply for the device in order to keep them safe inside the Hard Disk. With the usage of
this method, usually the forensic detailed information present in the RAM gets overlooked. All
though it might be of great importance for the investigation. They were most considered un-
obtainable as it has been locked by the user account or encrypted in order to control the access of
the unauthorised users (Stelly & Roussev, 2019). But with the help of this method, the forensic
investigators can get access to the system and the encryption keys allows them to read those files
present in the RAM, unless any malicious evidences are present in them or any virus are there to
prevent them from doing so. The researcher dis not cover this part as well, where the
investigation can be hindered due to the presence of the viruses and the malwares in the system
that has to be investigated (Lillis et al., 2016).
Conclusion:
This research shows us the importance of the RAM images which can be obtained in
these useful circumstances. The memory files, which contains valuable information can be
accessed by the forensic investigators making this one of the best possible methods in which a
cybercrime can be solved or investigation can be proceeded with. The importance of the memory
forensic, is thus, something which must not be ignored by the forensic investigators or the
researchers when it comes to the critical investigations, especially when it is capable of
providing so many additional advantages.

Paraphrase This Document

Need a fresh take? Get an instant paraphrase of this document with our AI Paraphraser

References:
Cheng, Y., Fu, X., Du, X., Luo, B., & Guizani, M. (2017). A lightweight live memory forensic
approach based on hardware virtualization. Information Sciences, 379, 23-41.
Daryabar, F., Tadayon, M. H., Parsi, A., & Sadjadi, H. (2016, September). Automated analysis
method for forensic investigation of cloud applications on Android. In 2016 8th
International Symposium on Telecommunications (IST) (pp. 145-150). IEEE.
Gupta, K., & Nisbet, A. (2016). Memory forensic data recovery utilising RAM cooling methods.
Hashim, M. A., Halim, I. H. A., Ismail, M. H., Noor, N. M., Fuzi, M. F. M., Mohammed, A. H.,
& Gining, R. A. J. (2017). Digital Forensic Investigation of Trojan Attacks in Network
using Wireshark, FTK Imager and Volatility. Computing Research & Innovation
(CRINN) Vol 2, October 2017, 205.
Hosseini, S. M., Jahangir, A. H., & Kazemi, M. (2019). Digesting Network Traffic for Forensic
Investigation Using Digital Signal Processing Techniques. IEEE Transactions on
Information Forensics and Security, 14(12), 3312-3321.
Joseph, P., & Norman, J. (2020). Systematic Memory Forensic Analysis of Ransomware using
Digital Forensic Tools. International Journal of Natural Computing Research
(IJNCR), 9(2), 61-81.
Lillis, D., Becker, B., O'Sullivan, T., & Scanlon, M. (2016). Current challenges and future
research areas for digital forensic investigation. arXiv preprint arXiv:1604.03850.

Meyers, C., Ikuesan, A. R., & Venter, H. S. (2017, November). Automated RAM analysis
mechanism for windows operating system for digital investigation. In 2017 IEEE
Conference on Application, Information and Network Security (AINS) (pp. 85-90). IEEE.
Mukhopadhyay, D. (2017). Cryptography: Advanced Encryption Standard (AES). Encyclopedia
of Computer Science and Technology, 279.
Osbourne, G. (2013). Memory forensics: review of acquisition and analysis techniques (No.
DSTO GD 0770). DEFENCE SCIENCE AND TECHNOLOGY ORGANISATION
EDINBURGH (AUSTRALIA) CYBER AND ELECTRONIC WARFARE DIV.
Stelly, C., & Roussev, V. (2019, August). Language-based Integration of Digital Forensics &
Incident Response. In Proceedings of the 14th International Conference on Availability,
Reliability and Security (pp. 1-6).
Taylor, J., Turnbull, B., & Creech, G. (2018, August). Volatile Memory Forensics Acquisition
Efficacy: A Comparative Study Towards Analysing Firmware-Based Rootkits.
In Proceedings of the 13th International Conference on Availability, Reliability and
Security (pp. 1-11).
Zhang, N., Zhang, R., Sun, K., Lou, W., Hou, Y. T., & Jajodia, S. (2018). Memory forensic
challenges under misused architectural features. IEEE Transactions on Information
Forensics and Security, 13(9), 2345-2358.