Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition

While procedures for forensic memory analysis have been well described in the literature, the actual data acquisition process has been researched to a lesser degree. In particular, even though forensic analysts commonly agree that a memory snapshot should be “correct”, “sound”, and “reliable”, the meaning of these terms still remains informal and vague. In this paper, we formalize three fundamental criteria, correctness, atomicity, and integrity, that determine the quality of a forensic memory image. We illustrate the criteria with the help of a number of intuitive examples, discuss the meaning of forensic soundness as well as outline implications and challenges for memory acquisition solutions available on the market to date.