A Temporal Study on Memory Forensics Artifacts Extraction: the Volatility Reliability

Memory forensics is a crucial branch of digital investigation focusing on the acquisition and analysis of a system’s volatile memory to extract valuable artifacts such as encryption keys, process traces, and in-memory payloads. It is particularly relevant in malware analysis, where volatile data often reveals behaviors and capabilities invisible to traditional disk-based methods. Over the years, numerous acquisition and analysis tools have been developed ranging from full memory imaging to targeted process extraction. Different frameworks have been developed, like Volatility serving as the standard for artifact retrieval and interpretation. However, despite its widespread adoption, little attention has been devoted to understanding how acquisition timing and system dynamics influence the consistency and reliability of extracted artifacts. This paper presents a systematic evaluation of Volatility’s performance across multiple temporal memory acquisitions on both Windows and Linux systems. By repeatedly capturing system memory under controlled conditions and comparing the artifacts recovered over time, we quantify inconsistencies in file and process recovery. When known artifacts fail to appear in Volatility’s structured output, additional analysis is performed through manual inspection and carving techniques to assess their persistence in raw memory. The results reveal that volatile memory extraction is inherently non-atomic, leading to temporal inconsistencies and partial artifact loss due to ongoing system activity and page overwrites. These findings highlight fundamental challenges in volatile memory forensics and underscore the need for improved acquisition atomicity, enhanced Linux support, and standardized evaluation methods to ensure reliability in forensic investigations and malware analysis.