Skip to Main Content
The digital data collected in current live forensics is always suspected in terms of integrity and fidelity when viewed as evidence. In this work, trustworthiness of evidence obtained from physical memory image is studied. The trustworthiness of evidence in physical memory image can be addressed as how closely the memory image accurately or truthfully represents the real memory of the target machine. Firstly, based on a physical memory analysis model, the effect of memory acquisition tool on live forensic evidence is analyzed. Then, two aspects are analyzed to evaluate the extent of memory change. A formula using probability theory and mathematical statistics is given to quantitatively calculate the degree of memory change. At last, through the experimental analyses, the influences of key traces are analyzed, and the trusted probability of the live forensics tool is assessed and calculated.