ACPO Guide and volatile memory capture

ACPO’s Good Practice Guide for Computer-Based Electronic Evidence has always been an excellent resource for supporting the digital forensics process. In the recently revised version emphasis is given on the handling of live data, strengthening the paradigm of “not pulling the plug”. As mentioned on p.18 of the document:

“Memory also often contains useful information such as decrypted applications (useful if a machine has encryption software installed) or passwords and any code that has not been saved to disk etc.
If the power to the device is removed, such artefacts will be lost. If captured before removing the power, an investigator may have a wealth of information from the machine’s volatile state,…”

We thought that it would be worthwhile reminding ourselves that a powered device is not necessarily a turned on device; In our recent research we established that even if a desktop computer is switched off but connected to mains, the contents of RAM are present and can be retrieved.

Therefore it is recommended that volatile memory is captured even if the computer is switched off at the time of the seizure.

Leave a Reply

You must be logged in to post a comment.

Copyright © 2019 Information Security and Incident Response Research Unit. All Rights Reserved.
No computers were harmed in the 0.513 seconds it took to produce this page.

Designed/Developed by Lloyd Armbrust & hot, fresh, coffee.