Back to course

Memory Forensics Basics

Cyber Security Mastery: From Zero to Hero

Capturing Volatile Evidence

RAM (Random Access Memory) contains volatile data that is erased upon power loss, but it holds crucial evidence during an incident, especially for fileless malware that runs only in memory.

What is in RAM?

  • Decryption keys and session keys.
  • Plaintext passwords that were recently used.
  • Running processes and network connections.
  • Evidence of rootkits or injected code.

Memory Acquisition

This requires running specialized tools (like DumpIt or FTK Imager Lite) on the running system to dump the entire contents of RAM to a file before the machine is shut down.

Memory Analysis (The Volatility Tool)

The Volatility Framework is an advanced open-source tool used to analyze memory images. It allows examiners to pull out running processes, network sockets, active command history, and password hashes from the captured RAM dump.