Development of Kernel Mode RAM Driver for RAM Image on Windows

Abstract: In the field of computer forensics live analysis through immediate intervention is an important way of gathering electronic evidence. The way to obtain evidence from volatile data using live analysis is to take an image of the RAM (Random Access Memory). The entire RAM has to be copied in order to import data from this image. However, since the user mode is the default mode in Windows operating systems only the running processes can be accessed. Therefore, RAM imaging software needs to work at Kernel Mode leve… Show more