Automate memory forensics Investigation

Abstract: The growth of digital technology spawns both positive and negative effects. Cybercrimes rise with the advancement of computer technology, necessitating a digital forensics investigation of the evolving digital world to assist in solving and tracing criminals' digital activity. We also know that every process executed in a digital system must run in memory at some point. Therefore, volatile memory forensics is at the forefront of forensic investigation and incident response. The memory analysis technique retrieves artifacts to analyze inappropriate behaviors. A bit-to-bit memory image contains significant artifacts that provide the analyst with relevant clues, such as system processes, recent activities, opened network ports, and connections. However, all this information is lost as soon as the system is shut down, which flushed the volatile memory. It also takes a long time to gather, analyze, and present data from various devices for every crime because the number of devices and the amount of data are constantly growing and adding to the backlog of devices to examine and analyze. Therefore, to eliminate human error and backlogs, we develop multiple machine learning classification models and identify the best performing model to automate the memory forensic process.