Memory forensics is the discipline of examining volatile memory (RAM) to find evidence that disk-only forensics miss. Credentials cached in memory, in-memory malware, injected code, encrypted traffic plaintext β all live only in RAM. This module covers the tooling and workflow.
Why memory forensics
Traditional disk forensics recovers files, logs, persistence. Memory adds:
- Process list at incident time (including hidden processes)
- Loaded DLLs / injected code
- Open network connections (past + present)
- Recently-used credentials (LSASS-style secrets, SSH keys, passphrases)
- Decrypted plaintext of TLS / VPN traffic (if session was active)
- Malware that never touches disk (fileless)
- Command history from memory-resident shells
Acquisition β getting RAM out
Windows
- DumpIt β single-binary full-memory dumper
- WinPmem β open-source, reliable
- Microsoft LiveKD / kd β for kernel debugging scenarios
- Hibernation file β hiberfil.sys contains compressed RAM dump
- Crash dump β MEMORY.DMP from kernel crashes
Linux
- LiME (Linux Memory Extractor) β kernel module for RAM acquisition
- /dev/mem β on older kernels (restricted in modern)
- /proc/kcore β kernel memory image
- AVML (Azure-developed) β modern portable acquisition tool
Cloud / EC2
- AWS SSM Run Command β run DumpIt/LiME/AVML remotely without console access
- AWS EC2 GetConsoleScreenshot β NOT memory, but visible console
- Live snapshot of EBS β disk only, not memory. Memory requires running tool inside the instance
Analysis β Volatility3
Volatility is the de facto open-source memory analysis framework. Version 3 is the current actively-maintained branch.
β Previous Β· Module 5
Module 5 Β· Privilege Escalation Defence <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Next Β· Module 7 β
Module 7 Β· Threat Hunting Workflow <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Other modules in this track
Module 1 Β· Beginner
Module 1 Β· Linux Hardening Fundamentals <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Apr 19, 2026 Β· 4 minModule 8 Β· Intermediate
Module 8 Β· Incident Response Playbook <span style="color:#6EC1E4;font-size:0.7em;vertical-align:middle;" title="Academy lesson β sign in for full access">π</span>
Apr 19, 2026 Β· 4 minModule 2 Β· Beginner