Memory forensics

Memory Forensics: Decoding Digital Mysteries

 By Charles Joseph | Cybersecurity Advocate
 Last update: November 25, 2023

Memory forensics, also known as digital memory forensics or random access memory (RAM) analysis, is a branch of computer forensics that focuses on examining a computer’s volatile memory.

It’s a technique used to identify, recover, and analyze data from the RAM to help solve computer-related crimes or incidents, including cyberattacks, malware infections, or unauthorized access to a computer system.

To better understand memory forensics, let’s review some key concepts:

Computer Forensics

This is the process of collecting, analyzing, and preserving electronic evidence to solve computer-related crimes or incidents.

It involves various techniques to examine digital devices, such as computers, smartphones, or networks, and identify relevant information that can be used in legal cases or cybersecurity investigations.

Volatile Memory

This is a type of computer memory that stores data temporarily while a computer is running.

When you turn off your computer, all the data stored in the volatile memory is lost. RAM is an example of volatile memory.


Random Access Memory is a type of volatile memory that stores data and allows it to be read or written by a computer’s processor.

It stores various types of information, such as running programs, open files, and user input. It plays a crucial role in a computer’s performance and speed.

Memory forensics is essential because, unlike other storage devices (like hard drives or USB drives), the data stored in RAM is not easily accessible once a computer is turned off.

Stay One Step Ahead of Cyber Threats

Want to Be the Smartest Guy in the Room? Get the Latest Cybersecurity News and Insights.
We respect your privacy and you can unsubscribe anytime.

By analyzing the data stored in RAM, investigators can obtain valuable information, such as:

Running processes

Details about the programs currently running on a computer, which can help identify malicious software or unauthorized activities.

Network connections

Information about active connections to the internet or other devices, which can be used to trace the source of a cyberattack or data breach.

User credentials

Usernames and passwords that are temporarily stored in memory, which can be helpful in identifying unauthorized users or compromised accounts.

Digital artifacts

Fragments of files, browser history, or chat messages that may have been deleted but are still present in RAM, which can provide crucial evidence in a case.

Memory forensics is a valuable tool for law enforcement agencies, cybersecurity professionals, and digital forensic investigators.

It helps them find evidence, identify the root cause of a security incident, and prevent future attacks by understanding how an attacker compromised a system.

What Are Other Types of Volatile Memory?

Apart from Random Access Memory (RAM), there are several other types of volatile memory used in computer systems and electronic devices.

Some common types include:

Cache Memory

Cache memory is a small, high-speed volatile memory that stores frequently used data to improve the performance and speed of a computer system.

It acts as a buffer between the processor and main memory, allowing the processor to quickly access frequently used data.

Cache memory is typically built directly into the CPU or located close to it.

Register Memory

Registers are small, ultra-fast memory locations within a processor or CPU.

They store data and instructions that the processor is currently working on, making them essential for a CPU’s operation.

Register memory is volatile, and the data is lost when power is turned off.

GPU Memory

Graphics Processing Units (GPUs) also contain volatile memory, called Graphics RAM or Video RAM (VRAM).

This memory is dedicated to storing image and video data and is crucial for rendering graphics, such as textures and frame buffers, on your screen.

Like other volatile memories, VRAM content is lost when the device is powered off.

While these are some of the most common types of volatile memory, many other specialized volatile memory types exist for specific purposes in various electronic devices.

The key characteristic shared by all volatile memory types is that they lose their stored data when the power is turned off.

6 Popular Programs to Capture Volatile Memory

Several popular software programs and tools are available for capturing volatile memory, primarily from a computer’s RAM.

These tools are widely used in memory forensics and incident response scenarios. Some of the most popular ones include:

1. FTK Imager

FTK (Forensic Toolkit) Imager is a free tool developed by AccessData. It allows forensic investigators to create images of a computer’s RAM and hard drive.

FTK Imager supports various memory acquisition formats, including raw memory dumps and advanced formats like the Expert Witness Compression Format (EWF).

2. Volatility

Volatility is an open-source memory forensics framework used to extract digital artifacts from volatile memory (RAM) samples.

While Volatility does not capture memory directly, it’s often used in conjunction with other memory acquisition tools, like FTK Imager, to analyze captured memory images.

Is Your PC Hacked? RAM Forensics with Volatility (Video)

3. WinPMEM

WinPMEM is an open-source Windows memory acquisition tool developed by the creators of the Volatility framework.

It can capture memory images from Windows systems, creating a raw memory dump that can be further analyzed using memory forensics tools like Volatility.

4. Rekall

Rekall is another open-source memory forensics framework similar to Volatility.

It supports memory acquisition and analysis on multiple platforms, including Windows, Linux, and macOS.

Rekall can also be used in conjunction with other memory acquisition tools to analyze captured memory images.

5. Magnet RAM Capture

Magnet RAM Capture is a free memory acquisition tool developed by Magnet Forensics.

It’s designed for Windows systems and allows investigators to capture volatile memory in raw format or as a crash dump file.

6. DumpIt

DumpIt is a lightweight, user-friendly tool for capturing volatile memory on Windows systems.

It generates a raw memory dump of the system’s RAM, which can be analyzed using memory forensics tools like Volatility or Rekall.

DumpIt Demo (Video)

"Amateurs hack systems, professionals hack people."
-- Bruce Schneier, a renown computer security professional