As technology becomes more prevalent in our day-to-day lives, so does the likelihood that fraudulent behavior will be disguised within the folds of seemingly endless electronic data. As a result, fraud investigations have become heavily reliant on electronically stored evidence, thus making digital forensics professionals an essential part of modern-day investigations.
There are a few sources of this valuable electronic information, including dynamic data. Dynamic data is information that is periodically updated, like computer memory or Random Access Memory (RAM). RAM temporarily holds data being used by a computer’s internal processes, which can include browsing history or cryptographic keys. However, RAM can be volatile – all data stored in RAM is lost when a computer is powered off. Knowing this, digital forensics professionals are keen to take this into account during forensic collection.
Members of FRA’s eDiscovery team located a password-protected file that they could not crack. Unable to open the file using traditional forensic tools, but armed with the knowledge that the computer’s RAM had been preserved, the team was able to create a word list from the memory and decrypt the protected file.
In the March issue of The Lawyer, FRA Senior Director Russell Miller, and FRA Director William Odom, discuss the importance of memory forensics.