O'Reilly logo

Computer Evidence: Collection and Preservation, Second Edition by Christopher L. T. Brown

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Accessing Volatile Data

When accessing volatile memory, one of the first things a computer forensics investigator may recall is the basic scientific principle that the very act of observing something changes it. Certainly, there is no exception to this principle in the case of accessing volatile memory. The evidence dynamics effects of loading program code in memory, or even moving the mouse in a Windows-based operating system, need to be understood. As described earlier in this chapter, starting an application loads some or all of the programs’ code pages into physical, and possibly virtual, page memory on disk. The loading of code pages in memory alters the memory data structures, if in physical memory only, and alters the system’s disk if ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required