RAM holds what the disk never sees — running malware, decrypted data, network connections, and injected code. Analyze a memory capture to catch what hides from disk.
Why: memory captures the live state of a system — processes actually running, network connections, decrypted secrets, and fileless/injected malware that never touches disk — so it reveals threats disk forensics misses. When: analyze the RAM capture you took during evidence collection (before shutdown). Where: modern malware increasingly lives only in memory, making memory forensics essential, not optional.
RAM contains what disk analysis can't see:
- processes truly running right now (incl. hidden/injected)
- active network connections (C2 channels)
- decrypted data + credentials/keys in cleartext
- fileless malware / code injected into legit processes
- command history and open handles
This is why you capture memory BEFORE powering the machine off.Why: Volatility parses a raw memory image into meaningful structures — process lists, network connections, loaded modules — so you can inspect the live state offline. When: run the plugins matching your questions (what was running? what was it talking to?). Where: comparing the process list from memory against what "should" be there surfaces injected or hidden processes.
# Volatility 3 on a memory capture (read-only):
vol -f memory.raw windows.pslist # running processes
vol -f memory.raw windows.netscan # network connections (find C2)
vol -f memory.raw windows.cmdline # process command lines
vol -f memory.raw windows.malfind # injected/hidden code regions
# Linux profiles exist too (linux.pslist, linux.bash, ...).Why: the highest-value memory findings are the things trying to hide — code injected into a legitimate process, or a process unlinked from the normal list — which memory analysis exposes by inspecting structures the malware cannot fully clean. When: hunt for anomalies: unusual parent-child process relationships, unexpected network owners, executable memory in odd places. Where: extract the suspicious region and pivot to malware triage (next lesson) to understand it.
Memory red flags:
- a process with NO backing file on disk (fileless)
- executable + writable memory in a normal process (code injection)
- odd parent/child (e.g. Word spawning powershell spawning cmd)
- a connection to a suspicious IP owned by an unexpected process
- hidden processes (present in memory, absent from the API list)
Dump the suspicious module/region, then analyze it as malware (next lesson).