Abstract: Social media applications are increasingly being used in our everyday communications. These applications utilise end-to-end encryption mechanisms which make them suitable tools for criminals to exchange messages. These messages are preserved in the volatile memory until the device is restarted. Therefore, volatile forensics has become an important branch of digital forensics. In this study, the WormHex tool was developed to inspect the memory dump files for Windows and Mac based workstations. The tool supports digital investigators by enabling them to extract valuable data written in Arabic and English through web-based WhatsApp and Twitter applications. The results confirm that social media applications write their data into the memory, regardless of the operating system running the application, with there being no major differences between Windows and Mac.
Abstract: Random Access Memory (RAM) is an important
device in computer system. It can represent the snapshot on how the
computer has been used by the user. With the growth of its
importance, the computer memory has been an issue that has been
discussed in digital forensics. A number of tools have been developed
to retrieve the information from the memory. However, most of the
tools have their limitation in the ability of retrieving the important
information from the computer memory. Hence, this paper is aimed
to discuss the limitation and the setback for two main techniques such
as process signature search and process enumeration. Then, a new
hybrid approach will be presented to minimize the setback in both
individual techniques. This new approach combines both techniques
with the purpose to retrieve the information from the process block
and other objects in the computer memory. Nevertheless, the basic
theory in address translation for x86 platforms will be demonstrated
in this paper.