JUCS - Journal of Universal Computer Science 25(9): 1174-1198, doi: 10.3217/jucs-025-09-1174
The Effects of Platforms and Languages on the Memory Footprint of the Executable Program: A Memory Forensic Approach
expand article infoZiad A. Al-Sharif, Mohammed I. Al-Saleh, Yaser Jararweh, Ahmed S. Shatnawi
‡ Jordan University of Science and Technology, Irbid, Jordan
Open Access
Identifying the software used in a cybercrime can play a key role in establishing the evidence against the perpetrator in the court of law. This can be achieved by various means, one of which is to utilize the RAM contents. RAM comprises vital information about the current state of a system, including its running processes. Accordingly, the memory footprint of a process can be used as evidence about its United States of Americage. However, this evidence can be influenced by several factors. This paper evaluates three of these factors. First, it evaluates how the used programming language affects the evidence. Second, it evaluates how the used platform affects the evidence. Finally, it evaluates how the search for this evidence is influenced by the implicitly used encoding scheme. Our results should assist the investigator in its quest to identify the best amount of evidences about the used software based on its execution logic, host platform, language used, and the encoding of its string values. Results show that the amount of digital evidence is highly affected by these factors. For instance, the memory footprint of a Java based software is often more traceable than the footprints of languages such as C++ and C#. Moreover, the memory footprint of a C# program is more visible on Linux than it is on Windows or Mac OS. Hence, often software related values are successfully identified in RAM memory dumps even after the program is stopped.
digital forensics, memory forensics, runtime behavior, RAM dumps