本文介绍了一种用于搜索和捕获线程的执行从一个捕获的图像文件的数字取证调查在实验室中的实时系统的过程。这是没有足够的时间来简单地断开一台计算机和转储一个图像文件后，研究者的任务是捕捉内存图像文件，使用取证工具的现场系统，然后执行挥发性记忆分析。本文描述了一个程序，用于获取从任意操作系统的动态内存的信息，使用一个进程，捕捉一个时间“快照”的主机操作系统的易失性内存。标准的过程中被关闭并拔下电缆的完整的系统的调查和转置系统法医实验室在硬盘使用专用取证工具和应用程序来复制图像文件[ 1 ]分离。这个程序仍然是正常使用的许多调查人员在几个国家。通过在计算机关闭时，在操作系统中的这样一个过程中的易失性数据。活的记忆分析用于绕过加密系统，如点更衣和真正的墓穴[ 1 ]。
This research paper stretches an overview well known live memory proposal with respect to tools and techniques which will be used as digital evidence. The paper addresses the methods used for analyzing the forensic challenges.
Aim: The paper is basically forensics oriented and the different section summarizes the procedures that would be used for digital live memory investigation. The main objective of this paper is to enhance the acquired tools and techniques used for capturing the live memory data for legal proceedings.
Method: Forensic analysis is not just about searching for or discovering information about a precise incident, it’s about the responsibility handling unique data. This paper focuses on the investigation method that illustrates the acquired relevant examination essential to unveil the activities of live volatile memory and various memory acquisitions devices used for performing the acquisition tasks.
Results: The technique correlates to the hardware based acquisition that introduces the segments found in kernel which is the most major part in secure and reliable systems. As a communication medium for debugging Firewire bus device is used in the target kernel system for capturing the evidence which is essential for crime as well as in the business background.
Conclusion: As forensic investigation in operating systems enhances the scientific reliability of the digital evidence. Hence, this paper focuses to acquire the practices on live volatile memory.
This paper describes a process for searching and capturing the threads of execution from a captured image file for digital forensic investigation in the laboratory for the live systems. It’s no sufficient longer to simply disconnect a computer and dump an image file later; the investigator’s task is to capture memory image file using forensic tools on the live system and then perform volatile memory analysis. This paper depicts a procedure for acquiring information on volatile live memory from arbitrary operating systems using a process that captures an in time “snapshot” of the host operating system volatile memory. The standard process was to shut down and unplug the complete system cables under investigation and transpose the system to the forensic laboratory where hard drive were isolated using dedicated forensic tools and applications to copy the image file . This procedure is still normally used by used by many investigators in several countries. By following such a procedure volatile data in the operating system that are lost when the computer is turned off. Live memory analysis is used in circumventing encryption system such as bit locker and true crypt