Over the last 10 years, memory acquisition has proven to be one of the most important and precarious aspects of digital investigations. Unfortunately, many investigators blindly trust free and commercial tools without understanding the associated risks and limitations. Consequently, they often end up with corrupt memory samples, or they crash systems containing volatile data that is critical to their investigations. While these tools may be readily accessible, many are unsupported or have been effectively abandoned by their original developers. In addition, a recent empirical study showed that most open source or commercial Windows memory acquisition tools either failed to collect or crashed systems with modern security features enabled. Based on user feedback, we determined there was a growing need within the industry to provide reliable and actively supported memory acquisition capabilities across Windows, Linux, and macOS. Acquisition Challenges When we set out to develop Volatility, we decided to focus our […]
