RAM Image
Overview
Section titled “Overview”Evidence: RAM Image
Description: Create an image of RAM
Category: Memory
Platform: linux
Short Name: ram
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”This collector gathers ram information from the Linux system by creating a RAM image. This data is essential for understanding system activity, detecting security incidents, and investigating system-related events.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ram image.
RAM Image Data
Section titled “RAM Image Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
FileSize | File Size | 123.45 |
Collection Method
Section titled “Collection Method”This collector creates a RAM image and records its metadata in the ram_image table.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides volatile memory content and metadata. It helps investigators analyze in-memory artifacts, detect malware, and investigate runtime behaviors. Analysts can use this information to identify malicious processes, extract credentials, and assess Linux security posture.