Abstract
Computer memory (RAM) is a great source of forensic artifacts as it contains information that the computer worked on since the last reboot. Also, information must take its true unencrypted form in memory, in order to be meaningful for the user. From a forensic perspective, a memory dump can contain vital information such as passwords, decrypted versions of encrypted data and malware in its true form. This chapter provides the reader with an introduction to memory analysis using the open source tool Volatility. Using Volatility rather than treating a memory dump as a big blob of data allows the examiner to complete a more structured analysis. This chapter demonstrates how to use Volatility to find several key artifacts including list of user on the system, files loaded into memory and information relating to Truecrypt, a tool used for encryption. The aim of the chapter is to show the reader the basic functionality of Volatility so that the reader can continue to learn memory analysis on his own.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in windows, linux, and Mac memory. Wiley.
Volatility Foundation. (2017). Volatility Foundation. Available Online: http://www.volatilityfoundation.org/ [Fetched: 2017-07-06].
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2017 The Author(s)
About this chapter
Cite this chapter
Kävrestad, J. (2017). Basic Memory Analysis. In: Guide to Digital Forensics. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-67450-6_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-67450-6_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-67449-0
Online ISBN: 978-3-319-67450-6
eBook Packages: Computer ScienceComputer Science (R0)