Basic Memory Analysis

Abstract

Computer memory (RAM) is a great source of forensic artifacts as it contains information that the computer worked on since the last reboot. Also, information must take its true unencrypted form in memory, in order to be meaningful for the user. From a forensic perspective, a memory dump can contain vital information such as passwords, decrypted versions of encrypted data and malware in its true form. This chapter provides the reader with an introduction to memory analysis using the open source tool Volatility. Using Volatility rather than treating a memory dump as a big blob of data allows the examiner to complete a more structured analysis. This chapter demonstrates how to use Volatility to find several key artifacts including list of user on the system, files loaded into memory and information relating to Truecrypt, a tool used for encryption. The aim of the chapter is to show the reader the basic functionality of Volatility so that the reader can continue to learn memory analysis on his own.