Memory & Live Forensics

Memory forensics involves acquiring and analyzing the contents of a computer's RAM (Random Access Memory) to uncover valuable digital evidence. Live forensics refers to the collection of volatile data from a running system (before shutdown), which can disappear if the device is turned off.

Blog Sep 13, 2025 0 3 Add to Reading List

Attackers increasingly use fileless malware that resides only in memory.
Many advanced threats never touch the hard disk—making RAM analysis essential.
Live systems often contain encryption keys, open connections, user credentials, and running malicious processes.

Artifact Type	Description
Encryption keys	Used for decrypting files or drives.
Running processes	Including hidden or malicious processes.
Loaded DLLs	Useful in detecting injected or rogue code.
Network connections	Real-time info about attacker communication.
Passwords / hashes	Often present in cleartext (e.g., in LSASS).
Open files	Includes documents, malware payloads.

Tool	Use
Volatility / Volatility 3	The most widely used open-source memory analysis framework.
Rekall	Google-supported alternative to Volatility.
FTK Imager	Used for memory acquisition and forensic imaging.
Belkasoft RAM Capturer	Lightweight RAM acquisition tool.
LiME (Linux Memory Extractor)	Used for acquiring memory from Linux systems.
DumpIt	One-click RAM capture (Windows).

Live Data Acquisition:
- Use trusted tools like FTK Imager, DumpIt, or Belkasoft.
- Ensure integrity using hashes (MD5/SHA256).
Analysis (with Volatility, Rekall):
- List running processes:
- Check open network connections:
- Dump suspicious processes:
- Look for injected code:
- Examine command history:
- Recover web browser artifacts:
Report Findings:
- Document findings with screenshots, command logs, and chain of custody.
- Correlate with disk and network forensics if necessary.