Towards the Utilization of Parallel Programming to Speed Up RAM Forensics.

Memory forensics uses volatile digital artifacts as evidence about criminal activities. Analyzing captured memory dumps for volatile data requires time and effort. This paper studies the utilization of parallel programming to speed up RAM forensics. It presents a performance-based evaluation of parallel programming in the domain of memory forensics and compares sequential and parallel approaches to speed up the memory analysis process. First, it evaluates the sequential approach and uses it as a base case for further parallel approaches. Second, it evaluates two of the parallel approaches that can be performed on a typical user machine. Our experiments evaluate the use of two parallel programming paradigms: the in-process parallelization approach using OpenMP, and the inter-process parallelization approach using MPI. Our results compare the performance of the sequential approach, OpenMP thread-based approach, and MPI process-based approach. Experimentations compare the performance of three scenarios using six files of different sizes and various numbers of threads and/or processes. The results show that the use of MPI is slightly better than OpenMP approaches on the use of 2 and 4 processes/threads. However, when the number of processors/threads is increased to 8 and 16, OpenMP slightly outperforms the MPI approach. Additionally, the parallelization approach using OpenMP and MPI provides $3X$ to $5X$ speed up over the traditional sequential approach. Moreover, it is worth mentioning that this speed-up is achieved on traditional user machines without the use of HPC computers.