Forensic analysis of communication records of messaging applications from physical memory

•RAMAS efficiently extracts communication records from volatile memory.•Works for most popular messaging applications.•Uses the same record signatures on different operating systems and browsers.•Provides a forensic framework for evidence inspection and reporting.•Highlights which sequences of actions impact record durability the most. Inspection of physical memory allows digital investigators to retrieve evidence otherwise inaccessible when analyzing other storage media. In this paper, we analyze in-memory communication records produced by instant messaging and email applications, both in desktop web-based applications and native applications running in mobile devices. Our results show that, in spite of the heterogeneity of data formats specific to each application, communication records can be represented in a common application-independent format. This format can then be used as a common representation to allow for general analysis of digital artifacts across various applications. Then, we introduce RAMAS, an extensible forensic tool which aims to ease the process of analysing communication records left behind in physical memory by instant-messaging and email clients.