Memory forensics is a critical component of digital investigations. It allows analysts to capture and examine volatile system state information that disappears on shutdown. This guide covers RAM architecture, acquisition strategies, memory dump formats, anti-forensics, and threat detection techniques aligned with MITRE ATT&CK.

What is Memory?

Memory refers to fast-access hardware used to temporarily store data for immediate use. The most common type, RAM (Random Access Memory), is volatile its contents are erased when power is lost. RAM holds:

• Running processes and threads
• Open files and sockets
• Network activity and connections
• Decrypted credentials and payloads

What is Memory Forensics?

Memory forensics (or memory analysis) involves capturing and analyzing the contents of volatile memory to uncover evidence of malicious activity. It's essential in cases where:

• Malware resides only in memory (fileless threats)
• Evidence disappears on shutdown
• Traditional disk forensics fails to provide insights

What is a Memory Dump?

A memory dump (core dump) is a snapshot of a system’s RAM at a specific point in time. It may contain:

• Running processes and services
• Active network connections
• Injected or decrypted malicious payloads