The fundamentals of Memory Forensics

July 2016

The trends in digital forensics are in constant evolution. More and more, traditional computer investigation has given way to new research methods focussing on Live Forensics. Among these new working methods, have you heard about Memory Forensics?

What is it?
Memory Forensics is a procedure taking place in real time, which captures the memory dump, and sorts and analyzes the information on systems. It is a method of numerical analysis that is used to collect volatile components of evidence in real time.

The limits of traditional investigation
Hackers continually develop new ways of accessing IT systems. More and more sophisticated malware and the injection of code directly into the RAM (floating code) make the task of the cyber investigators increasingly arduous.

In parallel to these tricks used by the authors of computer fraud, the technology continues to evolve (just think of the increase in the capacity of hard disks). This makes “traditional” Digital Forensics, which requires bit-by-bit copying of data from a hard disk and memory, less effective.

As a consequence, the analysis in real time of the RAM of systems makes it possible to obtain crucial information during a cyber investigation.

Pushing the limits of analysis

This technique has a lot of advantages for cyber investigators, who then have access to data directly from the RAM of a system, that is to say on what is happening in real time. Among the positive points, three advantages stand out.

1- It gives access to a part of the computer where suspicious software activities can be identified more effectively than on the hard disk drive, by making it possible:

  • To study a system’s configuration while it is running;
  • To identify contradictions present in the system (entropy principle) between what is happening in the memory and on the hard drive;
  • To disclose methods and tools of obfuscation used by the packer, binary obfuscators and rootkits designed for this purpose.

2- It can analyze and track recent activities on a system by making it possible:

  • To identity all the activities in progress in their context;
  • To trace the profile of the user or pirate, according to the activities.

3- It collects evidence that cannot be found otherwise or which could disappear during a reboot, for example:

  • Malware which resides in the memory only (code injection);
  • Communications via chatting software,
  • Internet browsing activities.


Carrying out a Memory Forensics investigation will require in-depth knowledge of the most recent trends in the field. Here are the six main stages that an investigation should cover:

  • Identifying the rogue processes posing as legitimate processes by heuristic methods
  • Detecting anomalies in the treatment of objects being processed (DLLs, Registers, Threads, etc.),
  • Examining the network artifacts and the communication ports used by the processes of the system in memory to determine the suspect elements;
  • Searching for evidence of code injection and methods of obfuscation;
  • Searching for signs of the presence of a rootkit by the hooking detection method;
  • Making a copy of the process in memory and the drivers of the suspect system.

Of course, investigations carried out in real time require very extensive technological expertise, especially in view of preserving the integrity of the evidence collected. Our team is trained to run Memory Forensics type investigations. If you get stuck trying to obtain results with traditional investigation methods, contact us.