Windows Memory Forensics Technical Guide Part 1

Introduction to Memory Forensics Unstructured Analysis.


Memory forensics has been a crucial part of an investigation process for some time now. RAM can provide – and provides – invaluable information on what is happening on the system at any given moment. It is also able to reveal traces of activity that has already taken place, leaving a trail of breadcrumbs behind – in memory.

In this series we will introduce the process of memory analysis – from acquiring a sample of RAM to extracting juicy data and interpretation of contained information.


Memory Acquisition

Memory Capture Tools
Before we can even think about memory analysis, we need to figure out a way to obtain an image of RAM. There are several tools available to us that allow for the RAM capture. An important thing to remember is that any tool we choose will leave a trace on the system we are investigating, which is why we never install any memory acquisition tool on the source system (if not absolutely necessary for some reason). Be sure to document your steps so that in the case of a lawsuit, acquired evidence may be accepted in the court of law and the entire investigation process would not be disputable…

Download “Windows Memory Forensics Technical Guide Part 1” Technical Guide


Relevant resources: