Framework for live forensics of a system by extraction of clipboard data and other forensic artefacts from RAM image

Abstract

In Memory Forensics, a variant of Live forensics, the acquired image of physical memory is analysed to find out crucial artefacts from the suspect’s system. These artefacts include details of running processes, network connections, Clipboard data, Security Identifiers of users, Master File Table etc. which helps in providing an unprecedented visibility into the runtime state of the system. While there has been extensive work done for capturing processes, event logs, registry information and network activities, the focus towards Clipboard acting as another memory storage for evidential information has been limited. In this paper, a framework has been proposed to carry out Live forensics of a system by extraction of Clipboard data and other forensic artefacts from RAM image.