Plain text passwords:- a forensic RAM-raid

Graeme Horsman

Research output: Contribution to journalArticlepeer-review

486 Downloads (Pure)


Despite many academic studies in the last 15 years acknowledging the investigative value of physical memory due to the potential sensitive nature of data it may contain, it arguably remains rarely collected at-scene in most criminal investigations. Whilst this may be due to factors such as first responders lacking the technical skills to do this task, or simply that it is overlooked as an evidence source, this work seeks to emphasise the worth of this task by demonstrating the ability to recover plain-text login credentials from it. Through an examination of logins made to 15 popular online services carried out via the Chrome, Edge and Mozilla Firefox browsers, testing shows that plain-text credentials are present in RAM in every case. Here, a transparent test methodology is defined and the results of test cases are presented along with ‘string markers’ which allow a practitioner to search their RAM captures for the presence of unknown credential information for these services in future cases.
Original languageEnglish
Pages (from-to)555-566
Number of pages12
JournalScience and Justice - Journal of the Forensic Science Society
Issue number6
Publication statusPublished - 10 Jul 2020

Bibliographical note

Publisher Copyright:
© 2020 The Chartered Society of Forensic Sciences

Copyright 2020 Elsevier B.V., All rights reserved.


Dive into the research topics of 'Plain text passwords:- a forensic RAM-raid'. Together they form a unique fingerprint.

Cite this