Read as
Why this module exists. Memory forensics — capturing and analysing RAM contents — surfaces evidence that never touches disk: in-memory malware, decrypted volume keys, the actual command history of a live attacker, and a thousand process states a defender cannot see any other way. This module covers acquisition (LiME, Magnet RAM Capture, AVML) and analysis with Volatility 3.
Why this module exists. Half the modern malware ecosystem never writes a payload to disk — it lives in memory, injected into legitimate processes, and dies at reboot. Without memory forensics you are flying blind on that whole class. This module is the practitioner workflow.
Acquisition — get the memory before you lose it
Memory acquisition is the most fragile forensic activity: every running process is changing memory contents. Two principles:
- Image memory before disk. Powering down or even imaging disk first will lose volatile state.
- Use a tool that runs from removable media, with minimal memory footprint. The tool itself necessarily occupies some memory; minimise it.
# Linux — LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/evidence/mem.lime format=lime"
# Linux — AVML (Microsoft's memory acquisition for Azure VMs, works elsewhere)
sudo ./avml /evidence/mem.lime
# Windows — Magnet RAM Capture (free for IR)
# Run from USB stick, output to external evidence disk
# Cloud — for EC2, EBS-snapshot the volume and use the AWS Memory
# Forensics workflow (no in-instance acquisition needed)Worried about your exposure?
Get a free attack-surface review
We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.
Book exposure review
Replies in 4 working hrs · India-only · Senior consultants