Authors: Jan-Niclas Hilgert, Roman Schell, Carlo Jakobs, Martin Lambertz



With the increasing use of the Internet for criminal activities, web servers have become more and more important during forensic investigations. In many cases, web servers are used to host leaked data, as a management interface for Command and Control servers, or as a platform for illicit content. As a result, extracting information from web servers has become a critical aspect of digital forensics. By default, a lot of information can already be extracted by performing traditional storage forensics including the analysis of logs. However this approach quickly reaches its limits as soon as anti-forensic techniques such as the deletion of configuration files or the deactivation of logging capabilities are implemented. This paper evaluates the feasibility of memory forensics as a complement to traditional storage forensics for cases involving web servers. For this purpose, we present a methodology for extracting forensically relevant artefacts from the memory of Apache web servers, which are among the most commonly used on the Internet. Through various experiments, we evaluate the applicability of our approach in different scenarios. In the process, we also take a closer look at the overall existence of digital traces, which cannot easily be found by following a structured approach. Our findings demonstrate that certain Apache web server structures contain important information that can be retrieved from memory even after the originating event has passed. Additionally, traces such as IP addresses were still found in memory even after complete structures were already overwritten by further interaction. These results highlight the benefits and the potential of memory analysis for web servers in digital investigations.