Memory forensics is the process of analyzing a RAM image to reconstruct the system's runtime state at the time of capture. It surfaces ephemeral evidence — running processes, loaded modules, network sockets, decrypted content, and in-memory malware — that often does not persist to disk.

Why it matters :

• Reveals in-memory-only malware and injected code.
• Shows live network connections and command-lines that may be absent on disk.
• Helps validate or refute hypotheses made from disk analysis.

Acquisition

Rules:

• Capture RAM before reboot or shut down; volatility of memory means you lose IPv4/IPv6 sockets, process memory, and cryptographic keys on power loss.
• Record the capture method, timestamps, and who performed the acquisition (chain of custody basics).
• Prefer hardware-assisted or trusted OS-level acquisition tools on live systems when possible.

Common tools:

• Windows: Belkasoft Live RAM, Magnet RAM Capture, FTK Imager (live), DumpIt.
• Linux: dd from /dev/mem, LiME (Linux Memory Extractor).

Capture tips:

• Note system uptime and active user sessions.
• If possible, isolate host from network to prevent further comms, but avoid rebooting.

Preparing the image: profile & basic checks

First steps: