RAM Image

Overview

Evidence: RAM Image Description: Create an Image of RAM Category: Memory Platform: Windows Short Name: ram Is Parsed: No - Raw memory image Sent to Investigation Hub: Yes Collect File(s): No

Background

Physical memory (RAM) contains all actively running processes, loaded modules, network connections, decrypted data, and other volatile system state. A memory dump captures the exact state of RAM at the moment of acquisition.

Memory forensics can reveal malware that exists only in memory (fileless malware), decrypted content, passwords, encryption keys, network communications, and kernel-level rootkits that may not be detectable through file system analysis.

Data Collected

Collection Method

This collector uses a kernel driver to:

• Enumerate physical memory ranges via IoctlEnumPhysicalMemoryRanges

• Read each memory page using IoctlReadPhysicalMemory

• Write pages sequentially to create a raw memory image

• Fill unmapped regions with zeros to maintain proper addressing

The resulting file is a complete physical memory dump in raw format compatible with memory analysis tools like Volatility.

Usage

Memory dumps are essential for advanced malware analysis and incident response. Investigators use memory forensics to detect fileless malware, extract process memory for malware analysis, recover encryption keys and passwords, identify network connections and malware C2, analyze kernel rootkits and drivers, extract browser history and clipboard data, and identify code injection and process hollowing.

Known Limitations

• Requires kernel driver

• Not available on ARM64 systems

• Very large files (size of installed RAM)

• Collection time depends on RAM size

• Requires significant storage space

• May trigger antivirus alerts

Notes

Memory acquisition should be performed as early as possible in an investigation as RAM is volatile and changes constantly. The memory image can be analyzed with tools like Volatility, Rekall, or commercial memory forensics platforms.