Detecting Live Forensic Memory Acquisition using Distinct Native Attribute Fingerprinting




Journal Title

Journal ISSN



Volume Title


De Montfort University


Thesis or dissertation

Peer reviewed


This research investigates the anti-forensic aspects of live memory acquisition. In 2009, the anti-forensic tool Detect and Eliminate Computer Assisted Forensics (DECAF) was developed to defeat one of the forensic tools, which is well known in the law enforcement community, Computer Online Forensic Evidence Extrator (COFEE). DECAF uses signature based detection method to detect forensic tools, and then performs anti-forensic routines such as modifying evidence, disabling forensic software tools, shutting down the machine to avoid evidence collection, to name a few. The findings in the literature show that the signature based method and various anti-forensic methods have shortcomings. This led to review the application of artificial intelligence (AI) techniques, specifically machine learning algorithms, to the domain of anti-forensics. And, also that AI is not being applied to detect the live forensic acquisition process. This is the knowledge gap this study has identified and addressed to the extent that AI techniques can be applied to detect forensic memory acquisition on a Windows 10, 64-bit machine. The method that was adopted to address the knowledge gap was by formulating a hypothesis, that the memory (M), input and output (I/O), and central processing unit (C) parameters exhibit a distinct variation in MIOC pattern, known as distinctive native attribute (DNA) pattern or fingerprint, whilst memory is being acquired from the machine by a forensic tool. If these unique DNA patterns can be identified, then memory acquisition can be detected. To support the hypothesis of this study, an experiment was conducted to gather MIOC parameters, and machine learning (ML) algorithms were used to identify the DNA patterns. The results show that, adaptive (ADA) boost classifier has the least performance with a high detection error rate (Δr) of 73.4 percent and 89 percent on the memory and CPU dataset respectively. Whereas, linear discriminant analysis (LDA) classifier has the highest Δr of 78 percent on the I/O dataset. Random forest (RF) classifier has the least detection rate of less than 5 percent on the three datasets. To improve the performance of the ML algorithms the individual memory, I/O, and CPU datasets was integrated into the single MIOC dataset. This resulted in decreasing Δr of SVM, LDA, and ADA boost by 32 percent, 17.3 percent, and ADA 13 percent respectively. To further support the hypothesis, the MIOC dataset was transformed to images by using the concept of gramian angular field (GAF). Then, the DNA patterns were detected using the 3-layered convolution neural network (3L-CNN) model. The results show that the model detects DNA patterns from the I/O dataset with an accuracy, precision, and recall over 99 percent. Whereas, the model underforms on the CPU dataset with an accuracy of 64.94 percent with precision and recall of 69.50 and 44.20 percent respectively. The significance of DNA fingerprinting detection method is that, it not only shows that AI techniques can be applied to the anti-forensic domain but also highlights that forensic memory acquisition can be vulnerable to the DNA fingerprinting method. This implies, if memory acquisition could be detected using DNA fingerprinting, the process of live memory acquisition is defeated. Therefore, the investigator will not have crucial evidence to work with that could be found only in the memory. Another novel contribution this study makes is by proposing a mathematical formalism by which a digital forensic model (DFM) can be validated by counteracting the influence anti-forensic effects on various phases of the digital forensic process. Future work should focus on addressing live forensic acquisition vulnerabilities.





Research Institute