Skip to content

Memory Forensics

What is Memory Forensics?

To put it simply, Memory Forensics is the analysis of volatile data of a compromised comupter. It involves the acquistion and analysis of system's volatile memory. Hence it is also called Volatile Memory Forensics. Volatile Memory is the memory used by the system or OS during the time the device is powered on. To put it simply, the data stored in RAM(Random Access Memory) can be called as volatile memory.

Non-volatile memory is the data which is stored in the hard drive of the computer.

Why Memory Forensics?

Volatile memory is crucial as it help us to understand the state of compromised system and gives us great insights to how system has attacked and volatile memory also includes the browsing activity, network connections or injected code fragments, opened applications etc.

Before 2008, Forensic Analysts used to rely primarily on non-volatile data for recovery of data and for detecting a malware's activity.

These days, the importance of volatile memory analysis has become really important. So important that many of the malwares like stuxnet were discovered in the volatile memeory dumps of the compromised systems and they remained inactive in the victim's system until a target was found.

What is a memory dump?

Memory dump is the snapshot of the current running state of a system. It is a capture of everything running inside a system during capture started. This includes processes, loaded modules, opened pictures, password hashes and even text typed in the terminal. These dumps can be of crucial importance because it'll help us to detect what the attacker did to the system.

So how do we dump memory of a system?

Simple. To dump your RAM, there are tools like FTK Imager, DumpIt etc., when we consider a windows system.

DumpIt

Dumpit is free windows memory acquisition tool from Comae. It is free to download. It is very easy to use. It has a command line interface and if you press "y", it'll dump the memory in the very folder where the DumpIt application is present. Below is a small demo in Windows XP.

Dumpit usage