{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,25]],"date-time":"2026-03-25T10:52:25Z","timestamp":1774435945149,"version":"3.50.1"},"reference-count":33,"publisher":"Association for Computing Machinery (ACM)","issue":"3","license":[{"start":{"date-parts":[[2024,9,30]],"date-time":"2024-09-30T00:00:00Z","timestamp":1727654400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["Digital Threats"],"published-print":{"date-parts":[[2024,9,30]]},"abstract":"<jats:p>Main memory contains valuable information for criminal investigations, e.g., process information or keys for disk encryption. Taking snapshots of memory is therefore common practice during a digital forensic examination. Inconsistencies in such memory dumps can, however, hamper their analysis. In this article, we perform a systematic assessment of causal inconsistencies in memory dumps taken on a Windows 10 machine using the kernel-level acquisition tool WinPmem. We use two approaches to measure the quantity of inconsistencies in Windows 10: (1) causal inconsistencies within self-injected memory data structures using a known methodology transferred from the Linux operating system, and (2) inconsistencies in the memory management data structures of the Windows kernel using a novel measurement technique based on properties of the virtual address descriptor (VAD) tree. Our evaluation is based on a dataset of more than 180 memory dumps. As a central result, both types of inconsistency measurement reveal that a high number of inconsistencies is the norm rather than the exception. We also correlate workload and execution time of the memory acquisition tool to the number of inconsistencies in the respective memory snapshot. By controlling these factors it is possible to (somewhat) control the level of inconsistencies in Windows memory dumps.<\/jats:p>","DOI":"10.1145\/3680293","type":"journal-article","created":{"date-parts":[[2024,7,23]],"date-time":"2024-07-23T15:46:01Z","timestamp":1721749561000},"page":"1-20","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Causal Inconsistencies Are Normal in Windows Memory Dumps (Too)"],"prefix":"10.1145","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-4918-7449","authenticated-orcid":false,"given":"Lisa","family":"Rzepka","sequence":"first","affiliation":[{"name":"Universit\u00e4t der Bundeswehr M\u00fcnchen, Munich, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1090-0566","authenticated-orcid":false,"given":"Jenny","family":"Ottmann","sequence":"additional","affiliation":[{"name":"Friedrich-Alexander-Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8279-8401","authenticated-orcid":false,"given":"Felix","family":"Freiling","sequence":"additional","affiliation":[{"name":"Friedrich-Alexander-Universit\u00e4t Erlangen-N\u00fcrnberg (FAU), Erlangen, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9254-6398","authenticated-orcid":false,"given":"Harald","family":"Baier","sequence":"additional","affiliation":[{"name":"Universit\u00e4t der Bundeswehr M\u00fcnchen, Munich, Germany"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,10,26]]},"reference":[{"key":"e_1_3_3_2_2","doi-asserted-by":"publisher","DOI":"10.1016\/S1361-3723(21)00044-0"},{"key":"e_1_3_3_3_2","first-page":"10","volume-title":"Proceedings of the 11th Australian Digital Forensics Conference (ADF \u201913)","author":"Campbell W.","year":"2014","unstructured":"W. Campbell. 2014. Volatile memory acquisition tools - A comparison across taint and correctness. In Proceedings of the 11th Australian Digital Forensics Conference (ADF \u201913), 10\u201319."},{"key":"e_1_3_3_4_2","doi-asserted-by":"publisher","DOI":"10.5555\/1051914"},{"key":"e_1_3_3_5_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.12.004"},{"key":"e_1_3_3_6_2","first-page":"553","volume-title":"Statistical Power Analysis for the Behavioral Sciences","author":"Cohen Jacob","year":"1988","unstructured":"Jacob Cohen and Jacob Willem Cohen. 1988. Statistical Power Analysis for the Behavioral Sciences (2nd ed.). Erlbaum, Hillsdale, NJ [u.a.]. XXI, 567 S. pages. Literaturverz. S. 553\u2013558.","edition":"2"},{"key":"e_1_3_3_7_2","unstructured":"Microsoft Corporation. 2023. Device Encryption in Windows. Retrieved March 20 2023 from https:\/\/support.microsoft.com\/en-us\/windows\/device-encryption-in-windows-ad5dcf4b-dbe0-2331-228f-7925c2a3012d"},{"key":"e_1_3_3_8_2","unstructured":"Microsoft Corporation. 2023. RTL_AVL_TABLE structure (ntddk.h). Retrieved July 02 2023 from https:\/\/learn.microsoft.com\/en-us\/windows-hardware\/drivers\/ddi\/ntddk\/ns-ntddk-_rtl_avl_table"},{"key":"e_1_3_3_9_2","doi-asserted-by":"publisher","DOI":"10.5555\/1535318"},{"key":"e_1_3_3_10_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.008"},{"key":"e_1_3_3_11_2","unstructured":"Exterro. 2023. FTK\u00ae Imager. Retrieved April 25 2023 from https:\/\/www.exterro.com\/ftk-imager"},{"key":"e_1_3_3_12_2","unstructured":"FireEye. 2023. Memoryze\u2122. Retrieved April 25 2023 from https:\/\/fireeye.market\/apps\/211368"},{"key":"e_1_3_3_13_2","unstructured":"Magnet Forensics. 2023. MAGNET DumpIt. Retrieved April 25 2023 from https:\/\/www.magnetforensics.com\/resources\/magnet-dumpit-for-windows\/"},{"key":"e_1_3_3_14_2","unstructured":"Volatility Foundation. [n. d.]. Changes between Volatility 2 and Volatility 3. Retrieved March 17 2023 from https:\/\/volatility3.readthedocs.io\/en\/latest\/vol2to3.html"},{"key":"e_1_3_3_15_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2016.01.003"},{"key":"e_1_3_3_16_2","unstructured":"Apple Inc. 2023. Use FileVault to Encrypt Your Mac Startup Disk. Retrieved April 25 2023 from https:\/\/support.apple.com\/en-us\/HT204837"},{"key":"e_1_3_3_17_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2011.05.006"},{"key":"e_1_3_3_18_2","unstructured":"Alboukadel Kassambara. 2024. Wilcoxon Test in R. Retrieved March 04 2024 from https:\/\/www.datanovia.com\/en\/lessons\/wilcoxon-test-in-r\/"},{"key":"e_1_3_3_19_2","doi-asserted-by":"publisher","DOI":"10.5220\/0007566101550162"},{"key":"e_1_3_3_20_2","unstructured":"Vidstrom Labs. 2023. PMDump. Retrieved April 25 2023 from https:\/\/vidstromlabs.com\/freetools\/pmdump\/"},{"key":"e_1_3_3_21_2","doi-asserted-by":"publisher","unstructured":"Tobias Latzo Ralph Palutke and Felix Freiling. 2019. A universal taxonomy and survey of forensic memory acquisition techniques. Digital Investigation 28 (2019) 56\u201369. DOI: 10.1016\/j.diin.2019.01.001","DOI":"10.1016\/j.diin.2019.01.001"},{"key":"e_1_3_3_22_2","unstructured":"Haiko L\u00fcpsen. 2023. Varianzanalysen \u2013 Pr\u00fcfen der Voraussetzungen und nichtparametrische Methoden sowie praktische Anwendungen mit R und SPSS. Retrieved October 15 2023 from https:\/\/kups.ub.uni-koeln.de\/6851\/1\/nonpar-anova.pdf"},{"key":"e_1_3_3_23_2","first-page":"215","volume-title":"Proceedings of the International Workshop on Parallel and Distributed Algorithms","author":"Mattern Friedemann","year":"1988","unstructured":"Friedemann Mattern. 1988. Virtual time and global states of distributed systems. In Proceedings of the International Workshop on Parallel and Distributed Algorithms, 215\u2013226."},{"key":"e_1_3_3_24_2","volume-title":"Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU \u201922)","author":"Ottmann Jenny","year":"2022","unstructured":"Jenny Ottmann, Frank Breitinger, and Felix Freiling. 2022. Defining atomicity (and integrity) for snapshots of storage in forensic computing. In Proceedings of the Digital Forensics Research Conference Europe (DFRWS EU \u201922), 11 pages, (2022-03-29\/2022-04-01). Retrieved from https:\/\/dfrws.org\/presentation\/defining-atomicity-and-integrity-for-snapshots-of-storage-in-forensic-computing\/"},{"key":"e_1_3_3_25_2","doi-asserted-by":"publisher","DOI":"10.1145\/3628600"},{"key":"e_1_3_3_26_2","doi-asserted-by":"publisher","DOI":"10.1145\/3310355"},{"key":"e_1_3_3_27_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2007.06.009"},{"key":"e_1_3_3_28_2","unstructured":"Sereno. 2023. Comparison of Pearson vs Spearman Correlation Coefficients. Retrieved October 15 2023 from https:\/\/www.analyticsvidhya.com\/blog\/2021\/03\/comparison-of-pearson-and-spearman-correlation-coefficients\/"},{"key":"e_1_3_3_29_2","unstructured":"StatCounter. 2024. Desktop Operating System Market Share Worldwide. Retrieved March 11 2024 from https:\/\/gs.statcounter.com\/os-market-share\/desktop\/worldwide"},{"key":"e_1_3_3_30_2","unstructured":"Velocidex. 2023. WinPmem. Retrieved April 25 2023 from https:\/\/github.com\/Velocidex\/WinPmem\/"},{"key":"e_1_3_3_31_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2012.04.005"},{"key":"e_1_3_3_32_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.diin.2011.06.002"},{"key":"e_1_3_3_33_2","unstructured":"Bj\u00f6rn Walther. 2023. Kruskal-Wallis Test in R rechnen. Retrieved September 21 2023 from https:\/\/bjoernwalther.com\/kruskal-wallis-test-in-r-rechnen\/"},{"key":"e_1_3_3_34_2","volume-title":"Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More","author":"Yosifovich Pavel","year":"2017","unstructured":"Pavel Yosifovich, David A Solomon, and Alex Ionescu. 2017. Windows Internals, Part 1: System Architecture, Processes, Threads, Memory Management, and More. Microsoft Press."}],"container-title":["Digital Threats: Research and Practice"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3680293","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3680293","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:58:26Z","timestamp":1750294706000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3680293"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,9,30]]},"references-count":33,"journal-issue":{"issue":"3","published-print":{"date-parts":[[2024,9,30]]}},"alternative-id":["10.1145\/3680293"],"URL":"https:\/\/doi.org\/10.1145\/3680293","relation":{},"ISSN":["2576-5337"],"issn-type":[{"value":"2576-5337","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,9,30]]},"assertion":[{"value":"2024-04-19","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-03","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-10-26","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}