RAM Image

Overview

Evidence: RAM Image Description: Create an image of RAM Category: Memory Platform: windows Short Name: ram Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Physical memory (RAM) contains all actively running processes, loaded modules, network connections, decrypted data, and other volatile system state. A memory dump captures the exact state of RAM at the moment of acquisition.

Memory forensics can reveal malware that exists only in memory (fileless malware), decrypted content, passwords, encryption keys, network communications, and kernel-level rootkits that may not be detectable through file system analysis.

Data Collected

This collector gathers structured data about ram image.

RAM Image Data

Collection Method

This collector uses a kernel driver to:

• Enumerate physical memory ranges via IoctlEnumPhysicalMemoryRanges

• Read each memory page using IoctlReadPhysicalMemory

• Write pages sequentially to create a raw memory image

• Fill unmapped regions with zeros to maintain proper addressing

The resulting file is a complete physical memory dump in raw format compatible with memory analysis tools like Volatility.

Forensic Value

Memory dumps are essential for advanced malware analysis and incident response. Investigators use memory forensics to detect fileless malware, extract process memory for malware analysis, recover encryption keys and passwords, identify network connections and malware C2, analyze kernel rootkits and drivers, extract browser history and clipboard data, and identify code injection and process hollowing.