RAM Image
Overview
Section titled “Overview”Evidence: RAM Image
Description: Create an image of RAM
Category: Memory
Platform: windows
Short Name: ram
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Physical memory (RAM) contains all actively running processes, loaded modules, network connections, decrypted data, and other volatile system state. A memory dump captures the exact state of RAM at the moment of acquisition.
Memory forensics can reveal malware that exists only in memory (fileless malware), decrypted content, passwords, encryption keys, network communications, and kernel-level rootkits that may not be detectable through file system analysis.
Data Collected
Section titled “Data Collected”This collector gathers structured data about ram image.
RAM Image Data
Section titled “RAM Image Data”| Field | Description | Example |
|---|---|---|
Path | Path | Example value |
FileSize | File Size | 123.45 |
Collection Method
Section titled “Collection Method”This collector uses a kernel driver to:
- Enumerate physical memory ranges via
IoctlEnumPhysicalMemoryRanges - Read each memory page using
IoctlReadPhysicalMemory - Write pages sequentially to create a raw memory image
- Fill unmapped regions with zeros to maintain proper addressing
The resulting file is a complete physical memory dump in raw format compatible with memory analysis tools like Volatility.
Forensic Value
Section titled “Forensic Value”Memory dumps are essential for advanced malware analysis and incident response. Investigators use memory forensics to detect fileless malware, extract process memory for malware analysis, recover encryption keys and passwords, identify network connections and malware C2, analyze kernel rootkits and drivers, extract browser history and clipboard data, and identify code injection and process hollowing.