Memory Forensics - What it is, what it finds, and how responders use it

Memory Forensics

What it is

Memory forensics is the practice of analyzing a computer’s RAM to see what is happening right now or just happened. By capturing and examining memory, investigators can spot active processes, network connections, passwords in use, and stealthy malware that may never touch the disk.

Why it matters

Many modern threats hide in memory to dodge file scans. Looking at RAM lets you catch live attacks, rebuild timelines, and confirm exactly what ran, even if the attacker tried to clean up.

What you can find - quick tour

  • Running processes and threads that don’t appear in Task Manager

  • Network sockets and connections tied to suspicious programs

  • Loaded modules and drivers that reveal rootkits or injectors

  • Credentials, keys, and commands left in memory by tools and scripts

If you need to run it - basics

  1. Isolate the system and avoid heavy use that overwrites memory.

  2. Capture RAM with a trusted tool and preserve hashes for integrity.

  3. Analyze with Volatility/Velociraptor or similar frameworks.

  4. Correlate with logs, EDR, and disk artifacts to confirm scope.

Tips

  • Practice on test hosts so you can work fast under pressure.

  • Prefer cold captures when possible; document every step.

  • Automate extraction of IoCs and feed them to SIEM and EDR blocklists.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • NDR (Network Detection And Response)

        What it is Network Detection and Response (NDR) watches live network traffic to spot and investigate suspicious behavior in real time. Instead of relying on signatures, it analyzes patterns and anomalies to catch threats moving across your ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • XDR (Extended Detection and Response)

        What it is XDR is a security system that watches your company’s devices, email, cloud, and network together and connects the dots. Instead of separate tools, XDR pulls all the signals into one place, spots attacks faster, and can auto-block bad ...

      • APT (Advanced Persistent Threat)

        What it is An APT is a long-game, targeted attack. Skilled attackers quietly break in, move sideways through the network, and stay hidden for weeks or months to steal sensitive data—not to make noise. Think careful recon, staged break-ins, and ...

      • Blended Threat

        What it is A blended threat mixes several attack tricks at once—think phishing email + exploit link + worm-style spread—so one weak spot opens the door for the rest. It’s a combo hit designed to move fast, hide well, and do more damage than any ...