Skip to Main Content
This paper presents digital forensics analysis of user input on volatile memory of Windows applications. Identification of user input activities on Windows applications has become vital in forensic digital investigation. The extraction of user input information from physical memory may reveal useful information that could be used as evidence in crime cases; the information that may not be found on traditional hard disk forensic investigations. Digital forensic community feels the urge for the development of tools and techniques in volatile memory analysis. However, there have been few investigations into the amount of information that can be recovered from the application memory. This research reports the amount of evidence stored over time in Windows physical memory including, the quantitative and qualitative results of the experiments carried out on some commonly used Windows applications.