{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T10:52:26Z","timestamp":1774435946761,"version":"3.50.1"},"reference-count":62,"publisher":"Association for Computing Machinery (ACM)","issue":"2","license":[{"start":{"date-parts":[[2019,3,18]],"date-time":"2019-03-18T00:00:00Z","timestamp":1552867200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"DOI":"10.13039\/100010663","name":"H2020 European Research Council","doi-asserted-by":"publisher","award":["771844"],"award-info":[{"award-number":["771844"]}],"id":[{"id":"10.13039\/100010663","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2019,5,31]]},"abstract":"<jats:p>Kickstarted by the Digital Forensic Research Workshop (DFRWS) conference in 2005, modern memory analysis is now one of most active areas of computer forensics and it mostly focuses on techniques to locate key operating system data structures and extract high-level information. These techniques work on the assumption that the information inside a memory dump is consistent and the copy of the physical memory was obtained in an atomic operation.<\/jats:p>\n          <jats:p>Unfortunately, this is seldom the case in real investigations, where software acquisition tools record information while the rest of the system is running. Thus, since the content of the memory is changing very rapidly, the resulting memory dump may contain inconsistent data. While this problem is known, its consequences are unclear and often overlooked. Unfortunately, errors can be very subtle and can affect the results of an analysis in ways that are difficult to detect.<\/jats:p>\n          <jats:p>\n            In this article, we argue that memory forensics should also consider the time in which each piece of data was acquired. This new\n            <jats:italic>temporal dimension<\/jats:italic>\n            provides a preliminary way to assess the reliability of a given result and opens the door to new research directions that can minimize the effect of the acquisition time or detect inconsistencies. To support our hypothesis, we conducted several experiments to show that inconsistencies are very frequent and can negatively impact an analysis. We then discuss modifications we made to popular memory forensic tools to make the temporal dimension explicit during the analysis and to minimize its effect by resorting to a\n            <jats:italic>locality-based<\/jats:italic>\n            acquisition.\n          <\/jats:p>","DOI":"10.1145\/3310355","type":"journal-article","created":{"date-parts":[[2019,3,19]],"date-time":"2019-03-19T12:11:29Z","timestamp":1552997489000},"page":"1-21","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":31,"title":["Introducing the Temporal Dimension to Memory Forensics"],"prefix":"10.1145","volume":"22","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-4357-9804","authenticated-orcid":false,"given":"Fabio","family":"Pagani","sequence":"first","affiliation":[{"name":"Eurecom, France"}]},{"given":"Oleksii","family":"Fedorov","sequence":"additional","affiliation":[{"name":"Igor Sikorsky Kyiv Polytechnic Institute, Ukraine"}]},{"given":"Davide","family":"Balzarotti","sequence":"additional","affiliation":[{"name":"Eurecom, France"}]}],"member":"320","published-online":{"date-parts":[[2019,3,18]]},"reference":[{"key":"e_1_2_1_1_1","doi-asserted-by":"publisher","DOI":"10.1145\/1113034.1113070"},{"key":"e_1_2_1_2_1","volume-title":"2011 International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 771--776","author":"Mutawa Noora Al","year":"2011","unstructured":"Noora Al Mutawa , Ibtesam Al Awadhi , Ibrahim Baggili , and Andrew Marrington . 2011 . Forensic artifacts of Facebook\u2019s instant messaging service . In 2011 International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 771--776 . Noora Al Mutawa, Ibtesam Al Awadhi, Ibrahim Baggili, and Andrew Marrington. 2011. Forensic artifacts of Facebook\u2019s instant messaging service. In 2011 International Conference for Internet Technology and Secured Transactions (ICITST). IEEE, 771--776."},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.010"},{"key":"e_1_2_1_4_1","volume-title":"Feuriges hacken-spa\u00df mit firewire. In 21C3: Proceedings of the 21st Chaos Communication Congress","author":"Becher Michael","unstructured":"Michael Becher and Maximillian Dornseif . 2004. Feuriges hacken-spa\u00df mit firewire. In 21C3: Proceedings of the 21st Chaos Communication Congress , Vol. 10 . Michael Becher and Maximillian Dornseif. 2004. Feuriges hacken-spa\u00df mit firewire. In 21C3: Proceedings of the 21st Chaos Communication Congress, Vol. 10."},{"key":"e_1_2_1_5_1","volume-title":"Klein","author":"Becher Michael","year":"2005","unstructured":"Michael Becher , Maximillian Dornseif , and Christian N . Klein . 2005 . FireWire: All your memory are belong to us. Proceedings of CanSecWest . Michael Becher, Maximillian Dornseif, and Christian N. Klein. 2005. FireWire: All your memory are belong to us. Proceedings of CanSecWest ."},{"key":"e_1_2_1_6_1","volume-title":"Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201918)","author":"Bhatia Rohit","unstructured":"Rohit Bhatia , Brendan Saltaformaggio , Seung Jei Yang , Aisha Ali-Gombe , Xiangyu Zhang , Dongyan Xu , and Golden G. Richard III. 2018. \u201cTipped off by your memory allocator\u201d: Device-wide user activity sequencing from android memory images . In Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201918) , San Diego. Rohit Bhatia, Brendan Saltaformaggio, Seung Jei Yang, Aisha Ali-Gombe, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2018. \u201cTipped off by your memory allocator\u201d: Device-wide user activity sequencing from android memory images. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS\u201918), San Diego."},{"key":"e_1_2_1_7_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2017.06.002"},{"key":"e_1_2_1_8_1","unstructured":"Richard Carbone C. Bean and M. Salois. 2011. An In-depth Analysis of the Cold Boot Attack: Can it be Used for Sound Forensic Memory Acquisition? Technical Report. Defence Research and Development Canada Valcartier Quebec.  Richard Carbone C. Bean and M. Salois. 2011. An In-depth Analysis of the Cold Boot Attack: Can it be Used for Sound Forensic Memory Acquisition? Technical Report. Defence Research and Development Canada Valcartier Quebec."},{"key":"e_1_2_1_9_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2003.12.001"},{"key":"e_1_2_1_10_1","unstructured":"Harlan Carvey. 2005. Digital forensics of the physical memory. Retrieved from http:\/\/seclists.org\/incidents\/2005\/Jun\/22.  Harlan Carvey. 2005. Digital forensics of the physical memory. Retrieved from http:\/\/seclists.org\/incidents\/2005\/Jun\/22."},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2010.05.006"},{"key":"e_1_2_1_12_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.12.004"},{"key":"e_1_2_1_13_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.04.017"},{"key":"e_1_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/1920261.1920307"},{"key":"e_1_2_1_15_1","unstructured":"M. Cohen. 2012. WinPMEM.  M. Cohen. 2012. WinPMEM."},{"key":"e_1_2_1_16_1","unstructured":"Michael Cohen. 2014. Rekall memory forensics framework. DFIR Prague.  Michael Cohen. 2014. Rekall memory forensics framework. DFIR Prague."},{"key":"e_1_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3176258.3176325"},{"key":"e_1_2_1_18_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.008"},{"key":"e_1_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1109\/SP.2011.11"},{"key":"e_1_2_1_20_1","doi-asserted-by":"publisher","DOI":"10.1145\/1653662.1653730"},{"key":"e_1_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/2664243.2664248"},{"key":"e_1_2_1_22_1","unstructured":"Mel Gorman. {n. d.}. Understanding the Linux Virtual Memory Manager. Retrieved from http:\/\/www.makelinux.net\/books\/lvmm\/understand007#toc31.   Mel Gorman. {n. d.}. Understanding the Linux Virtual Memory Manager. Retrieved from http:\/\/www.makelinux.net\/books\/lvmm\/understand007#toc31."},{"key":"e_1_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-642-41284-4_2"},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.01.003"},{"key":"e_1_2_1_25_1","doi-asserted-by":"publisher","DOI":"10.1145\/2857705.2857707"},{"key":"e_1_2_1_26_1","unstructured":"Adrien Guinet. 2017. wannakey. Retrieved from https:\/\/github.com\/aguinet\/wannakey.  Adrien Guinet. 2017. wannakey. Retrieved from https:\/\/github.com\/aguinet\/wannakey."},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1506409.1506429"},{"key":"e_1_2_1_28_1","doi-asserted-by":"publisher","DOI":"10.1109\/MSP.2009.43"},{"key":"e_1_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/1950365.1950398"},{"key":"e_1_2_1_30_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2008.02.001"},{"key":"e_1_2_1_31_1","volume-title":"Safer live forensic acquisition. Computer Science Laboratory","author":"Jones Ryan","unstructured":"Ryan Jones . 2007. Safer live forensic acquisition. Computer Science Laboratory , University of Kent. Ryan Jones. 2007. Safer live forensic acquisition. Computer Science Laboratory, University of Kent."},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.12.002"},{"key":"e_1_2_1_33_1","unstructured":"Stefan Le Berre. 2018. From corrupted memory dump to rootkit detection. Retrieved from https:\/\/exatrack.com\/public\/Memdump_NDH_2018.pdf.  Stefan Le Berre. 2018. From corrupted memory dump to rootkit detection. Retrieved from https:\/\/exatrack.com\/public\/Memdump_NDH_2018.pdf."},{"key":"e_1_2_1_34_1","volume-title":"International Conference on IT Incident Management 8 IT Forensic.","author":"Lessing Marthie","year":"2008","unstructured":"Marthie Lessing and Basie Von Solms . 2008 . Live forensic acquisition as alternative to traditional forensic processes . In International Conference on IT Incident Management 8 IT Forensic. Marthie Lessing and Basie Von Solms. 2008. Live forensic acquisition as alternative to traditional forensic processes. In International Conference on IT Incident Management 8 IT Forensic."},{"key":"e_1_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/1368506.1368510"},{"key":"e_1_2_1_36_1","volume-title":"The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory","author":"Ligh Michael Hale","unstructured":"Michael Hale Ligh , Andrew Case , Jamie Levy , and Aaron Walters . 2014. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory . John Wiley 8 Sons. Michael Hale Ligh, Andrew Case, Jamie Levy, and Aaron Walters. 2014. The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory. John Wiley 8 Sons."},{"key":"e_1_2_1_37_1","unstructured":"Zhiqiang Lin Junghwan Rhee Xiangyu Zhang Dongyan Xu and Xuxian Jiang. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS.  Zhiqiang Lin Junghwan Rhee Xiangyu Zhang Dongyan Xu and Xuxian Jiang. 2011. SigGraph: Brute force scanning of kernel data structure instances using graph-based signatures. In NDSS."},{"key":"e_1_2_1_38_1","volume-title":"Live memory forensics on android with volatility","author":"Macht Holger","unstructured":"Holger Macht . 2013. Live memory forensics on android with volatility . Friedrich-Alexander University Erlangen-Nuremberg . Holger Macht. 2013. Live memory forensics on android with volatility. Friedrich-Alexander University Erlangen-Nuremberg."},{"key":"e_1_2_1_39_1","unstructured":"Mandiant. {n. d.}. Memoryze.  Mandiant. {n. d.}. Memoryze."},{"key":"e_1_2_1_40_1","unstructured":"Jean Marsault. 2017. Volatility-notpetyakeys. Retrieved from https:\/\/github.com\/Iansus\/Volatility-notpetyakeys.  Jean Marsault. 2017. Volatility-notpetyakeys. Retrieved from https:\/\/github.com\/Iansus\/Volatility-notpetyakeys."},{"key":"e_1_2_1_41_1","volume-title":"Live and trustworthy forensic analysis of commodity production systems","author":"Martignoni Lorenzo","unstructured":"Lorenzo Martignoni , Aristide Fattori , Roberto Paleari , and Lorenzo Cavallaro . 2010. Live and trustworthy forensic analysis of commodity production systems . In RAID. Springer , 297--316. Lorenzo Martignoni, Aristide Fattori, Roberto Paleari, and Lorenzo Cavallaro. 2010. Live and trustworthy forensic analysis of commodity production systems. In RAID. Springer, 297--316."},{"key":"e_1_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1111\/1556-4029.12979"},{"key":"e_1_2_1_43_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.03.003"},{"key":"e_1_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2018.01.013"},{"key":"e_1_2_1_45_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420962"},{"key":"e_1_2_1_46_1","doi-asserted-by":"publisher","DOI":"10.1007\/s11416-007-0070-0"},{"key":"e_1_2_1_47_1","volume-title":"Convicted by Memory: Recovering spatial-temporal digital evidence from memory images","author":"Saltaformaggio Brendan","unstructured":"Brendan Saltaformaggio . 2018. Convicted by Memory: Recovering spatial-temporal digital evidence from memory images . USENIX Association , Atlanta, GA . Brendan Saltaformaggio. 2018. Convicted by Memory: Recovering spatial-temporal digital evidence from memory images. USENIX Association, Atlanta, GA."},{"key":"e_1_2_1_48_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813650"},{"key":"e_1_2_1_49_1","doi-asserted-by":"publisher","DOI":"10.1145\/2810103.2813720"},{"key":"e_1_2_1_50_1","volume-title":"USENIX Security Symposium. 1137--1151","author":"Saltaformaggio Brendan","unstructured":"Brendan Saltaformaggio , Rohit Bhatia , Xiangyu Zhang , Dongyan Xu , and Golden G . Richard III. 2016. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images . In USENIX Security Symposium. 1137--1151 . Brendan Saltaformaggio, Rohit Bhatia, Xiangyu Zhang, Dongyan Xu, and Golden G. Richard III. 2016. Screen after previous screens: Spatial-temporal recreation of android app displays from memory images. In USENIX Security Symposium. 1137--1151."},{"key":"e_1_2_1_51_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.009"},{"key":"e_1_2_1_52_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2006.06.010"},{"key":"e_1_2_1_53_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2010.73"},{"key":"e_1_2_1_54_1","doi-asserted-by":"publisher","DOI":"10.1109\/ARES.2011.33"},{"key":"e_1_2_1_55_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.01.004"},{"key":"e_1_2_1_56_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.06.012"},{"key":"e_1_2_1_57_1","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2015.2467356"},{"key":"e_1_2_1_58_1","volume-title":"Proceedings of the 7th ShmooCon Conference.","author":"Sylve Joe","year":"2012","unstructured":"Joe Sylve . 2012 . Lime-linux memory extractor . In Proceedings of the 7th ShmooCon Conference. Joe Sylve. 2012. Lime-linux memory extractor. In Proceedings of the 7th ShmooCon Conference."},{"key":"e_1_2_1_59_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2011.06.002"},{"key":"e_1_2_1_60_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.04.005"},{"key":"e_1_2_1_61_1","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2013.06.004"},{"key":"e_1_2_1_62_1","unstructured":"Aaron Walters. 2007. The volatility framework: Volatile memory artifact extraction utility framework.  Aaron Walters. 2007. The volatility framework: Volatile memory artifact extraction utility framework."}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3310355","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3310355","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T23:53:37Z","timestamp":1750204417000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3310355"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2019,3,18]]},"references-count":62,"journal-issue":{"issue":"2","published-print":{"date-parts":[[2019,5,31]]}},"alternative-id":["10.1145\/3310355"],"URL":"https:\/\/doi.org\/10.1145\/3310355","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2019,3,18]]},"assertion":[{"value":"2018-08-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2018-12-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2019-03-18","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}