Semester of Graduation

Spring 2023


Master of Science in Computer Science (MSCS)


Computer Science

Document Type



A branch of cyber security known as memory forensics focuses on extracting meaningful evidence from system memory. This analysis is often referred to as volatile memory analysis, and is generally performed on memory captures acquired from target systems. Inside of a memory capture is the complete state of a system under investigation, including the contents of currently running as well as previously executed applications. Analysis of this data can reveal a significant amount of activity that occurred on a system since the last reboot. For this research, the Windows operating system is targeted. In particular, the graphical user interface component that includes the taskbar, start menu and notification system will be examined for possible forensic artifacts. The techniques presented in this research are valuable to a forensic investigator trying to find evidence. They are also useful for penetration testers trying to determine if a tool has left any evidence behind for investigators to find.

The research described in this thesis led to development of a scanning technique that served as the basis for a Volatility plugin that automates finding GUI related artifacts. To support this research, a lab consisting of three virtual machines (VM) was created using VMware. Two Windows 10 virtual machines were created for generating artifacts and one Linux was created for scanning the Windows machines. These machines were connected to a live router briefly for gathering network information.

This these explores the strengths and limitations of this searching discovered during research. Lastly, future applications of this research are covered.



Committee Chair

Dr. Golden Richard III