Volatile Memory Collection and Analysis for Windows Mission-Critical Computer Systems

Most enterprises rely on the continuity of service guaranteed by means of a computer system infrastructure, which can often be based on the Windows operating system family. For such a category of systems, which might be referred to as mission-critical for the relevance of the service supplied, it is indeed fundamental to be able to define which approach could be better to apply when a digital investigation needs to be performed. This is the very goal of this paper: the definition of a forensically sound methodology which can be used to collect the full state of the machine being investigated by avoiding service interruptions. It will be pointed out why the entire volatile memory dump, with the necessary extension which is nowadays missing, is required with the purpose of being able to gather much more evidential data, by illustrating also, at the same time, the limitation and disadvantages of current state of-the-art approaches in performing the collection phase.