Acquiring volatile operating system data tools and techniques

Andrew Blyth, Iain Sutherland, J. Evans, T. Tryfonas

Research output: Contribution to journalArticlepeer-review


The current approach to forensic examination during search and seizure has predominantly been to pull the plug on the suspect machine and subsequently perform a post mortem examination on the storage medium. However, with the advent of larger capacities of memory, drive encryption and anti-forensics, this procedure may result in the loss of valuable evidence. Volatile data may be vital in determining criminal activity; it may contain passwords used for encryption, indications of anti-forensic techniques, memory resident malware which would otherwise go unnoticed by the investigator. This paper emphasizes the importance of understanding the potential value of volatile data and how best to collate forensic artifacts to the benefit of the investigation, ensuring the preservation and integrity of the evidence. The paper will review current methods for volatile data collection, assessing the capabilities, limitations and liabilities of current tools and techniques available to the forensic investigator.
Original languageEnglish
Pages (from-to)65 - 73
Number of pages8
JournalACM SIGOPS Operating Systems Review
Issue number3
Publication statusPublished - 1 Apr 2008


  • operating system


Dive into the research topics of 'Acquiring volatile operating system data tools and techniques'. Together they form a unique fingerprint.

Cite this