Memory Forensics: What it entails?

Memory forensics is the art and science of capturing and analysing a system's volatile memory to reveal evidence of activity that might never make it to disk. Unlike traditional forensics, which leans towards reconstructing past events by recovering deleted files,for instance, memory forensics reveals the present tense of computing. That is, it captures and analyzes the present or live operation of a computer.

Let's break this further down:

Person A = Traditional forensics

Person B = Memory Forensics

Case scenario: Investigating a security incident

• Person A is the Historian who checks the archives and the available history book (the disk) that contains permanent, saved records of events recorded over the years.

Note: this book only records things after they have been saved.

• Person B is the Reporter who arrives at the incident in progress, taking snapshots (memory dump) of the entire scene as it unfolds before the suspects hide or destroy them. Hence, their core differences lie in what type of data they analyse and its lifespan.

Traditional vs Memory Forensics

By building on the above understanding, capturing the memory becomes a necessity for cybersecurity. Why? RAM is not a permanent data source. It requires power to maintain any stored information. Once the power is turned off, all data is lost. And more importantly, because fileless malware, encryption keys, decrypted files, and user behaviours are all stored in the RAM.

Failing to capture the memory could result in a potential miss needed to solve a case.

Memory Forensics: What to Capture

While capturing and analysing a memory dump, investigators should always look for:

• Running processes -Legitimate apps and hidden malware.
• Loaded drivers & DLLs -Potential rootkits or code injection.
• Network connections -Who the system is talking to, in real time.
• Logged-in users -Active sessions, local or remote.
• Command history -Recently executed instructions.
• Clipboard -Passwords or sensitive snippets.
• Encryption keys -Essential for unlocking protected data.
• Malware in memory -Code that decrypts itself only while running.

Each of these artefacts is a window into an attacker's actions.

How Memory is Captured

Capturing RAM requires special tools. Some of the most widely used include:

• DumpIt (Windows): One-click acquisition, great for incident responders.
• LiME (Linux Memory Extractor):A kernel module for Linux memory capture.
• FTK Imager:A commercial tool that includes memory capture.
• Volatility / Volatility3:The leading open-source frameworks for analyzing dumps after capture.

Real-World Use Cases

• Malware detection: Analysts have uncovered sophisticated fileless malware that never left a footprint on disk but revealed itself in memory.
• Credential theft:Attackers using tools like Mimikatz store stolen credentials in RAM, waiting for investigators to find them.
• Insider threats:Command histories in memory can prove exactly what an insider executed before evidence was lost.
• Ransomware response: Sometimes, encryption keys are retrieved from the RAM.

Best Practices and Pitfalls

To get memory forensics right, what are some of the best practices investigators should embrace:

• Capture memory immediately, before shutdown.
• Use tested forensic tools.
• Document acquisition steps for legal admissibility.
• Validate memory images with hashes.

However, they must avoid the following pitfalls:

• Running unnecessary tools that overwrite memory.
• Waiting too long; RAM changes constantly.
• Ignoring privacy or legal issues in sensitive environments.

Practical Lab: Analysing Memory Dump Using Volatility 3

This lab demonstrates how a memory dump is analysed from a ransomware incident using Volatility 3. These exercises will show you how to capture memory, extract artefacts, and start making sense of what you find without risking your real system.

Volatility 3 is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) Samples.

Next steps to take

• The volatility framework is first downloaded via the official website or GitHub page into the attacker machine known as Kali Linux.
• We would be working on a room called Memory Analysis via a platform called Blue Team Labs Online.

• After accessing the page, look towards the left side (as shown in the above picture) for a downloadable file needed for the analysis. Once downloaded, use commands unzip and ls to extract the contents.

• By accessing the content of the file, we can go ahead and perform our memory analysis. Note that the file we would be analysing is the one with the .vmem extension.

Quick Rundown of the Commands:

Python3: Launches Python 3 to run the Volatility 3 script. Volatility 3 is Python-based, so invoking it with python3 runs the tool.

/opt/volatility/volatility3/vol.py:The full path to the Volatility 3 main script. This is the program that loads the memory image, kernels/symbol tables, and executes plugins.

-f infected .vmem:-f tells Volatility which memory image file to analyze. Infected .vmem is the memory capture.

windows .psscan:This is the plugin being executed. windows .psscan scans the memory image for Windows EPROCESS structures by scanning raw memory, rather than relying only on the active kernel process list.

• We have successfully found the name of the suspicious process.

Next challenge:

All we have to do is follow the order in which everything has been listed.

• Now, we can see that the Parent Process ID (PPID) of the suspicious process is listed as 2732.

Next

• We have already identified the PPID of the suspicious program as 2732. Now, we match the use to match the PID of the initial malicious executable that created the process in the first place.

Now, we have successfully identified the executable file.

Onto the next question:

Now, if we just follow the instructions here, we can find the process as the odd one out.

The next question:

Now, we are just going to change the plug-in to the cmdline because that is where the path resides.

As highlighted in the picture, we have successfully located the path where the malicious file resides.

The next question goes like this:

This one is a simple OSINT task. All you have to do is just search for “taskdl.exe” on your browser.

Now, the last but definitely not the least question:

We are just going to change the plugin once again and use our already established PID, 2732 to get our results.

We have successfully located all the information needed for this exercise.

Conclusion: Key Takeaways for Beginners

Memory forensics may feel intimidating at first, but it's one of the most powerful skills you can add to your Digital Forensic and Incident Response (DFIR) toolkit. Disk analysis shows you the history, but memory tells you the truth of the moment, what was really happening when the system was alive. If you're just starting in DFIR, focus on building strong fundamentals: practice in safe labs, get comfortable with common tools, and never stop experimenting. The more time you spend digging into volatile data, the sharper your instincts will become. Remember, every investigation is a puzzle, and memory often holds the missing piece.