Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×

Submission + - Forensic Analysis of Memory Resident Compressed Swap Stores (

An anonymous reader writes: At the recent 2014 Digital Forensics Research Workshop (DFRWS), Dr. Golden G. Richard III and Andrew Case presented research that enabled forensic analysis of memory resident compressed swap stores. These stores, added in recent versions of Mac and Linux, use reserved pools of RAM in order to store compressed forms of pages that have been swapped out. Compressing and decompressing pages in memory is considerably faster than traditional algorithms that require reading and writing from disk.

Analysis of the stores in-memory allows for a forensics investigator to recover all pages that have been swapped without resorting to disk. This makes the forensics acquisition process much simpler than current methods that call for attempting to sample physical memory (RAM) and acquire the page file from disk simultaneously. In the paper, Dr. Richard and Case discuss the internals of these stores and demonstrate the types of data that can be recovered from them through memory forensics.

This discussion was created for logged-in users only, but now has been archived. No new comments can be posted.

Forensic Analysis of Memory Resident Compressed Swap Stores

Comments Filter:

Asynchronous inputs are at the root of our race problems. -- D. Winker and F. Prosser