Skip to main content
SpringerLink
Log in

Basic Memory Analysis

  • Chapter
  • First Online:
Guide to Digital Forensics

Part of the book series: SpringerBriefs in Computer Science ((BRIEFSCOMPUTER))

  • 2081 Accesses

Abstract

Computer memory (RAM) is a great source of forensic artifacts as it contains information that the computer worked on since the last reboot. Also, information must take its true unencrypted form in memory, in order to be meaningful for the user. From a forensic perspective, a memory dump can contain vital information such as passwords, decrypted versions of encrypted data and malware in its true form. This chapter provides the reader with an introduction to memory analysis using the open source tool Volatility. Using Volatility rather than treating a memory dump as a big blob of data allows the examiner to complete a more structured analysis. This chapter demonstrates how to use Volatility to find several key artifacts including list of user on the system, files loaded into memory and information relating to Truecrypt, a tool used for encryption. The aim of the chapter is to show the reader the basic functionality of Volatility so that the reader can continue to learn memory analysis on his own.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 44.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 59.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  • Ligh, M. H., Case, A., Levy, J., & Walters, A. (2014). The art of memory forensics: Detecting malware and threats in windows, linux, and Mac memory. Wiley.

    Google Scholar 

  • Volatility Foundation. (2017). Volatility Foundation. Available Online: http://www.volatilityfoundation.org/ [Fetched: 2017-07-06].

Download references

Author information

Authors and Affiliations

  1. University of Skövde, Skövde, Sweden

    Joakim Kävrestad

Authors
  1. Joakim Kävrestad
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Joakim Kävrestad .

Rights and permissions

Reprints and permissions

Copyright information

© 2017 The Author(s)

About this chapter

Cite this chapter

Kävrestad, J. (2017). Basic Memory Analysis. In: Guide to Digital Forensics. SpringerBriefs in Computer Science. Springer, Cham. https://doi.org/10.1007/978-3-319-67450-6_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-67450-6_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-67449-0

  • Online ISBN: 978-3-319-67450-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation