F302 Volatile Data and RAM Forensics

Volatile data and memory (RAM) investigations are perhaps the most interesting areas in digital forensics. Each operation performed by an operating system or application generates specific changes to the computer’s RAM which usually persists long after the operation. Memory forensics provide a comprehensive source of important information such as the status of the system, which processes are running, open network connections, and recently executed commands. We can investigate these artifacts completely independently of the system being examined, thus reducing the likelihood that malware or rootkits will interfere with the results to be obtained. Critical data, such as disk encryption keys, pieces of code embedded in memory, unrecorded chat messages, unencrypted e-mail messages, and Internet history records that cannot be cached, are typically residential in memory only. By learning how to take a computer memory image and profile the content with this training; you will gain very useful information for first respond, malware analysis and digital forensics. Although examining hard drives and network packets can provide us with a lot of important evidence, RAM contains a lot of information necessary to determine what happened before, during and after a malware infection or an attack event.