Episode Details
Back to Episodes
Course 36 - Windows Forensics and Tools | Episode 4: From Acquisition to Volatility Analysis
Published 1 month, 1 week ago
Description
In this lesson, you’ll learn about: memory forensics and RAM analysis1. Why Memory Forensics Matters
- RAM (volatile memory) is one of the most valuable forensic sources
- It contains data that disappears after shutdown
- Running processes
- Active network connections
- Command history
- Encryption keys
- Malware behavior in real time
- If disk is “history,” RAM is live truth
- Creating a snapshot of physical RAM for analysis
- DumpIt
- Simple one-click RAM dump tool
- Used widely in field forensics
- NotMyFault
- Forces system crash
- Generates full kernel memory dump
- DumpIt → fast and simple
- Crash dump → deeper but disruptive
- Process objects
- Suspicious threads
- Injected code
- Hidden malware artifacts
- Malware often exists only in memory
- Disk analysis alone may miss it
- Look for:
- Passwords
- URLs
- Commands
- API keys
- Identify:
- Legitimate processes
- Suspicious or orphaned processes
- Detect:
- Code injection
- Hidden execution paths
- A powerful memory forensics framework for analyzing RAM dumps
- Extracts structured evidence from raw memory images
- Shows active processes
- Based on system process list
- Finds hidden or terminated processes
- Scans memory directly
- Cross-checks multiple process sources
- Detects rootkits and hidden malware
- If a process appears in psscan but not pslist, it may be hidden
- First step in analysis is identifying:
- Operating system version
- Memory structure layout
- Correct profile = accurate results in Volatility
- Injected DLLs
- Suspicious network activity
- Hidden execution threads
- Malware often hides better in RAM than on disk
- Extract evidence
- Convert results into structured reports
- Document every forensic step
- Make results repeatable and legally defensible
- RAM is the most dynamic and valuable forensic source
- Memory acquisition must be done carefully to preserve evidence
- Tools like DumpIt and crash dumps capture volatile data
- Volatility enables deep inspection of memory structures
- Cross-checking process lists helps detect hidden malware
- Cap