An anonymous reader writes "At the recent 2014 Digital Forensics Research Workshop (DFRWS), Dr. Golden G. Richard III and Andrew Case presented research that enabled forensic analysis of memory resident compressed swap stores. These stores, added in recent versions of Mac and Linux, use reserved pools of RAM in order to store compressed forms of pages that have been swapped out. Compressing and decompressing pages in memory is considerably faster than traditional algorithms that require reading and writing from disk.
Analysis of the stores in-memory allows for a forensics investigator to recover all pages that have been swapped without resorting to disk. This makes the forensics acquisition process much simpler than current methods that call for attempting to sample physical memory (RAM) and acquire the page file from disk simultaneously. In the paper, Dr. Richard and Case discuss the internals of these stores and demonstrate the types of data that can be recovered from them through memory forensics."Link to Original Source