Memory Forensics
What is Memory Forensics?
Memory ForensicsThe discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
Memory forensics targets volatile data that disappears when a host powers off, exposing evidence that disk forensics cannot reach: malware loaded only in memory, unpacked payloads, encryption keys, browser sessions, cleartext credentials, and rootkit hiding techniques. Acquisition uses tools such as WinPmem, DumpIt, AVML, or hypervisor snapshots, producing raw dumps or VMware vmem files. Analysis frameworks like Volatility 3 and Rekall parse OS structures to enumerate processes, DLLs, network sockets, registry hives, and code injection. The discipline is essential for fileless malware and APT investigations and complements disk and network forensics in DFIR workflows aligned with NIST SP 800-86.
● Examples
- 01
Using Volatility 3's malfind plugin to detect injected shellcode in a memory image.
- 02
Recovering an attacker's Mimikatz output from a Windows RAM dump.
● Frequently asked questions
What is Memory Forensics?
The discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts. It belongs to the Forensics & IR category of cybersecurity.
What does Memory Forensics mean?
The discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
How do you defend against Memory Forensics?
Defences for Memory Forensics typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Memory Forensics?
Common alternative names include: RAM forensics, Volatile memory analysis.