Memory Forensics

S Abhishek
2 min readJul 13, 2021



  • When a Cyber Attack happens, in order to eliminate such sort of future attack, it’s very important to know how the security breach has had happened.
  • This is done using Memory Forensics.

What Is Memory Forensics?

Memory forensics is the process of collecting memory dumps and analyzing them for evidence of how a cyber crime happened, to backtrack events that led to a successful security breach etc.

  • This is usually done after a cyberattack, but cybersecurity specialists can also do this as a routine check-up for malicious injections that could be running in the system.
  • Memory forensics is used to analyze the volatile data in a computer’s memory dump.

Importance of Memory Forensics

  • Memory forensics provides the details of runtime system activity, recently executed commands or processes, account credentials, chat messages, encryption keys, running processes, injected code fragments, internet history, network connections, etc.
  • All programs ( malicious or otherwise ) must be loaded in memory in order to execute, making memory forensics difficult.
  • Memory Forensics is done in three phases as Retrieval, Analysis, and Documentation.

Memory Acquisition/Retrieval/Extraction

  • The first part of memory forensics is the acquisition/retrieval phase where all the activities and the actions that were taken place in a computer are recorded in the system’s memory to see when and where the cyberattack began.

Example: Retrieving an airplane’s black box after a crash.

  • The system’s memory is retrieved by performing a memory dump where data in a system’s RAM such as browsing history, chat messages, and clipboard contents, etc are read and transferred to a storage device.
  • Retrieving RAM data is important since this is volatile data which means that when a computer is powered off, data is lost immediately.

Example: Your unsaved work will be lost if the computer lose power before it’s saved.

Evidence Analysis

  • The second phase is memory analysis where the system’s memory dump is analyzed for the signs of malicious activities, hidden folders, and to retrieve deleted or encrypted files.


  • The last phase of memory forensics is the documentation phase where all pieces of evidence and significant activities discovered during memory analysis are thoroughly analyzed and a report is generated.


  • When a cyber-attack happens, it’s crucial to know when and how it happened so vulnerabilities can be addressed and cybercriminals can be tracked down.
  • If you’re worried about your cybersecurity, now is a good time to do your own memory forensics to see if you have been compromised.



S Abhishek

Data Engineer Intern @Rolls-Royce | Computer Science Undergraduate | Amrita Vishwa Vidyapeetham | Former Member of security research & CTF team — @teambi0s.