This work addresses memory inconsistency in live memory forensics caused by ongoing system execution during memory acquisition. We present the first systematic quantification of physical memory inconsistency induced by kernel write operations. Using Linux kernel module hooks and physical memory access monitoring, we dynamically trace all kernel writes throughout the acquisition process to precisely count and categorize inconsistency events. By integrating multi-OS runtime analysis and Volatility compatibility validation, we uncover how memory management mechanisms and acquisition modalities profoundly influence inconsistency frequency. Our results demonstrate that memory inconsistency is pervasive; kernel write frequencies vary significantly across acquisition methods, filesystems, and hardware platforms; and such inconsistencies directly cause failures in page-table reconstruction and recovery of critical kernel data structures—severely compromising forensic reliability. This study establishes the first empirical benchmark and methodological framework for assessing the trustworthiness of memory forensics.

Memory forensics is a powerful technique commonly adopted to investigate compromised machines and to detect stealthy computer attacks that do not store data on non-volatile storage. To employ this technique effectively, the analyst has to first acquire a faithful copy of the system's volatile memory after the incident. However, almost all memory acquisition tools capture the content of physical memory without stopping the system's activity and by following the ascending order of the physical pages, which can lead to inconsistencies and errors in the dump. In this paper we developed a system to track all write operations performed by the OS kernel during a memory acquisition process. This allows us to quantify, for the first time, the exact number and type of inconsistencies observed in memory dumps. We examine the runtime activity of three different operating systems and the way the manage physical memory. Then, focusing on Linux, we quantify how different acquisition modes, file systems, and hardware targets influence the frequency of kernel writes during the dump. We also analyze the impact of inconsistencies on the reconstruction of page tables and major kernel data structures used by Volatility to extract forensic artifacts. Our results show that inconsistencies are very common and that their presence can undermine the reliability and validity of memory forensics analysis.