Today's

• Fundamentals of memory and random-access memory
• Role of RAM in cyber security
• Different sources of memory
• RAM acquisition
• Methods and tools that can process volatile memory
• RAM memory forensics limitations

What is random access memory (RAM)?

What it does?

RAM

• It is used to temporarily store working data/code on an active computer system.
• It is type of computer memory and data can be read/written on RAM at extremely fast speeds.
• It is a vital source of digital evidence that contains information about the current running state of the system before you shut it down.

For example, it contains information about any running programs, information related to network connections the host has with other peers. This could be a legitimate use of peer-to-peer file sharing, or it could show a link to the attacker’s host.

RAM's Features

• Temporary (YET primary), unlike long-term storage.
• Exists as physical & virtual memory.
• Volatile - loses data without power.

Volatile data

• Data constantly changes.
• Lost if power is removed.
• Stored in RAM:
  • Static RAM (SRAM) chips
  • Dynamic RAM (DRAM) chips

Type of RAM

Static RAM (SRAM)

• Faster and more energy-efficient.
• Used as CPU cache memory.
• Stores BIOS settings in CMOS SRAM.
• Requires power (‘CMOS battery’) to retain data.

Dynamic RAM (DRAM)

• Cheaper to produce than SRAM.
• Commonly used for main system memory.
• Data must be periodically refreshed.

Type of SDRAM

Synchronous DRAM (SDRAM)

• Syncs with the system bus.
• Faster than standard DRAM.
• Reads/writes one WORD (16 bits/2 bytes) at a time.

Double Data Rate SDRAM (DDR SDRAM)

• Reads/writes two WORDs (16 bits/2 bytes) at a time.
• DDR1 has 2× the bandwidth of SDRAM.

Activity: Identifying Artefacts in RAM (5 mins)

List some the potential artefacts stored in RAM. What can you find?

RAM

RAM holds volatile data that reflects the system's current state. Common artefacts include:

• Running Processes - Active applications and background services.
• Open Network Connections - IP addresses, ports, and active sessions.
• Decryption Keys & Passwords - Sensitive credentials stored temporarily.
• Clipboard Data - Copied text, images, and files.
• Unwritten Files & Cached Data - Documents, browser history, and system logs.
• Malware & Attack Traces - Indicators of compromise, injected code, or exploits.

RAM analysis is crucial in digital forensics for extracting volatile evidence before it disappears.

Activity: The Role of Memory Forensics in Cybersecurity

Please, and in pairs, take 5 minutes to consider:

1. Malware Detection
2. Memory Exploits
3. Encryption & RAM
4. Authentication & Security

Please make some notes for discussion

Order of volatility

RAM Acquisition: Avoid Destroying Evidence

DON’T

• Don’t Shutdown before collecting live evidence.
• Don’t Trust system tools: If possible use your own

DO

• Do Use tools with the smallest and known footprint.
• Do Prefer the terminal whenever practical.
• Do Use scripts to minimise, control, and audit actions (and automate your work).

RAM lives in physical chips only, right?

• A system’s RAM consists of two key components when live:
  • Physical RAM
  • Pagefile
• Both are needed for the full picture of memory analysis.
• Now, wha about hibernates?

Risks of RAM acquisition

• Volatility - Data life expectancy is short.
• Accuracy - Are results reliable?
• Intrusiveness - Can tools alter evidence?
• Repeatability - Analysis is repeatable, acquisition is not.

RAM Acquisition Methodology

The ACPO Guide advises:

1. Risk Assessment
   • Ensure acquisition is necessary and safe.
2. Insert Data Carrier & Start Acquisition
   • Use trusted forensic tools with minimal system impact.
3. Stop & Remove Data Carrier
   • Prevent tampering or modifications.
4. Verify Data on a Separate Machine
   • Check integrity using hashes (MD5, SHA-256).
5. Follow Standard Procedures
   • Maintain chain of custody, document findings, ensure repeatability.

Tools

1. RAM Acquisition Tools

2. Memory Analysis Tools

3. Live Forensics & Monitoring

1. RAM Acquisition Tools

• FTK Imager - Forensic disk imaging with RAM capture.
• Belkasoft RAM Capturer - Lightweight, free RAM acquisition tool.
• DumpIt - Simple RAM capture tool.
• LiME (Linux Memory Extractor) - RAM acquisition for Linux systems.
• dd and femem - Low-level disk & memory imaging tool used in forensic acquisitions.

2. Memory Analysis Tools

• Volatility Framework - Industry-standard open-source memory forensics tool.

• MemProcFS - Live memory analysis via a virtual file system.
• Redline - Free tool for investigating memory and system activity, Readline User Guide.
• MAGNET RAM Capture - Memory imaging with forensic integrity checks.

3. Live Forensics & Monitoring

• Sysinternals Suite - Tools like Process Explorer & RAMMap for live memory analysis.

• Autopsy (with Volatility Plugin)

Exmaple: Locally on the Suspect Machine

• Modern Linux systems restrict access to kernel memory to prevent attacks.
• fmem: Linux Kernel Module
  • Creates /dev/fmem to provide direct RAM access.
• Using dd cmd
• Reads & writes data bit-by-bit from a media device or file.

Exmaple: Remotly

Identifying Sources of Memory

• What if Volatile Data Cannot Be Collected?

  • Direct RAM analysis may not always be possible.

    Aternative Memory Sources

    Source	Description
    Hibernation File (hiberfil.sys)	Stores RAM contents when the system hibernates.
    Pagefile (pagefile.sys)	Virtual memory file used for paging active RAM data.
    Swapfile (swapfile.sys)	Stores suspended Windows app data to free RAM.
    Crash Dump (memory.dmp)	Captures RAM state when a system crashes (BSOD).
    Kernel Memory Dump	Contains critical kernel-mode memory post-crash.
    Small Dump Files	Logs running processes & loaded drivers at crash time.

Lab

1. Please review you lab from here.
2. Extra
   1. Infosec: Memory Forensics
   2. Volatility Workbench
   3. TryHackMe: Memory Forensics