Extraction of HTTP messages for retrieval of live evidence

There has been a surge towards physical memory forensics with recent development of valuable tools and techniques in acquisition and analysis. However, most of the research is skewed towards the Operating System architecture with primary focus on processes, threads, kernel modules etc. There has been little research towards retrieval of application level data. Moreover, the research is majorly application specific and keyword search oriented, involving text string search tools which use match and/or indexing algorithms to search digital evidence. Our paper aims to unearth application level data through a generic approach and provide some degree of automation to reduce the string search dependency. The paper revolves around the web browser and the HTTP protocol which are the basic elements of the interface between a user and the internet. Programs have been developed for the extraction of HTTP message headers from the acquired RAM image and a detailed analysis of how the information in these headers is crucial, follows.