Forensics & IR
Memory Forensics
Also known as: RAM forensics, Volatile memory analysis
Definition
The discipline of acquiring and analysing a system's volatile RAM to reveal running processes, network connections, injected code, and in-memory artefacts.
Examples
- Using Volatility 3's malfind plugin to detect injected shellcode in a memory image.
- Recovering an attacker's Mimikatz output from a Windows RAM dump.
Related terms
Digital Forensics
The scientific discipline of identifying, preserving, analysing, and reporting on digital evidence from computers, networks, and devices in a legally defensible way.
DFIR (Digital Forensics and Incident Response)
A combined discipline that fuses digital forensic investigation with incident response to detect, contain, eradicate, and learn from cyber incidents.
Fileless Malware
Malware that runs primarily in memory and leverages trusted system tools, avoiding the use of traditional executable files on disk.
Malware Analysis
Malware Analysis — definition coming soon.
Disk Forensics
The analysis of non-volatile storage media — HDDs, SSDs, USB drives — to recover, examine, and interpret file-system, application, and operating-system artefacts.
Evidence Acquisition
Evidence Acquisition — definition coming soon.