Kickstarted by the Digital Forensic Research Workshop (DFRWS) conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation. Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect. In this article, we argue that memory forensics should also consider the time in which each piece of data was acquired. This new temporal dimension provides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a locality-based acquisition.

中文翻译：

---

将时间维度引入内存取证

现代内存分析由 2005 年的数字取证研究研讨会 (DFRWS) 会议发起，现在是计算机取证最活跃的领域之一，它主要关注定位关键操作系统数据结构和提取高级信息的技术。这些技术的工作假设是内存转储中的信息是一致的，并且物理内存的副本是在原子操作中获得的。不幸的是，在实际调查中很少出现这种情况，因为软件采集工具会在系统的其余部分运行时记录信息。因此，由于内存的内容变化非常迅速，因此生成的内存转储可能包含不一致的数据。虽然这个问题是众所周知的，但其后果尚不清楚并且经常被忽视。很遗憾，错误可能非常微妙，并且可能以难以检测的方式影响分析结果。在本文中，我们认为内存取证还应该考虑获取每条数据的时间。这个新时间维度提供了一种评估给定结果的可靠性的初步方法，并为新的研究方向打开了大门，可以最大限度地减少采集时间的影响或检测不一致。为了支持我们的假设，我们进行了几项实验以表明不一致非常频繁，并且会对分析产生负面影响。然后，我们讨论我们对流行的记忆取证工具所做的修改，以在分析过程中明确时间维度，并通过诉诸基于地方的获得。