Objectives: This paper investigates the amount of user input that can be recovered from the volatile memory of Windows computer systems while an application is still running. Additionally, an investigation into temporal, functional analysis and event reconstruction of user input activities in business application is discussed and reported upon. Methods/Analysis: Forensically, relevant user information is suitable for an evidentiary purpose. Therefore, the qualitative assessment of user input on commonly used windows-based applications is presented. Findings: In this research, detailed emphasis has been laid on the quality of evidence recovered from the allocated line numbers of the application memory. This approach describes the process of securing digital evidence for investigators. The research uncovers the process of analysing the forensically relevant data recovered from Windows applications. The investigation comprises of the following; dumping of memory, data extraction, strings evidence strings conversion, result finding of the evidence and also, reconstructing the extracted evidence of user information. Applications/Improvement: This research focuses on digital forensic investigation of digital images captured and the memory analysis of user information on using some very popular windows based applications. It is aimed that this may become part of forensic analysis in digital investigations.

Keywords