The Importance of Memory Forensics in Fraud Investigations

There are a few sources of this valuable electronic information, including dynamic data. Dynamic data is information that is periodically updated, like computer memory or Random Access Memory (RAM). RAM temporarily holds data being used by a computer's internal processes, which can include browsing history or cryptographic keys. However, RAM can be volatile - all data stored in RAM is lost when a computer is powered off. Knowing this, digital forensics professionals are keen to take this into account during forensic collection.

Members of FRA's eDiscovery team located a password-protected file that they could not crack. Unable to open the file using traditional forensic tools, but armed with the knowledge that the computer's RAM had been preserved, the team was able to create a word list from the memory and decrypt the protected file.

In the March issue of The Lawyer, FRA Senior Director Russell Miller, and FRA Director William Odom, discuss the importance of memory forensics.