Andreas Schuster (BFK edv-consulting GmbH)


An image of a computer’s physical memory can provide a forensic examiner with a wealth of information. A small area of system memory, the nonpaged pool, contains lots of information about currently and formerly active processes. As this paper shows, more than 90% of such information can be retrieved even 24 h after process termination under optimum conditions. Great care must be taken as the acquisition process usually affects the memory contents to be acquired. In order minimize the impact on volatile data, this paper for the first time analyzes the pool allocation mechanism of the Microsoft Windows operating system. It describes a test arrangement, which allows to obtain a time series of physical memory images, while it also reduces the effect on the observed operating system. Using this environment it was found that allocations from the nonpaged pool are reused based on their size and a last in-first out schedule. In addition, a passive memory compaction strategy may apply. So, the creation of a new object is likely to eradicate the evidence of an object of the same class that was destructed just before. The paper concludes with a discussion of the implications for incident response procedures, forensic examinations, and the creation of forensic tools.