# RAM Image

## Overview

**Evidence:** RAM Image\
**Description:** Create an image of RAM\
**Category:** Memory\
**Platform:** windows\
**Short Name:** ram\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Physical memory (RAM) contains all actively running processes, loaded modules, network connections, decrypted data, and other volatile system state. A memory dump captures the exact state of RAM at the moment of acquisition.

Memory forensics can reveal malware that exists only in memory (fileless malware), decrypted content, passwords, encryption keys, network communications, and kernel-level rootkits that may not be detectable through file system analysis.

## Data Collected

This collector gathers structured data about ram image.

### RAM Image Data

| Field      | Description | Example       |
| ---------- | ----------- | ------------- |
| `Path`     | Path        | Example value |
| `FileSize` | File Size   | 123.45        |

## Collection Method

This collector uses a kernel driver to:

* Enumerate physical memory ranges via `IoctlEnumPhysicalMemoryRanges`
* Read each memory page using `IoctlReadPhysicalMemory`
* Write pages sequentially to create a raw memory image
* Fill unmapped regions with zeros to maintain proper addressing

The resulting file is a complete physical memory dump in raw format compatible with memory analysis tools like Volatility.

## Forensic Value

Memory dumps are essential for advanced malware analysis and incident response. Investigators use memory forensics to detect fileless malware, extract process memory for malware analysis, recover encryption keys and passwords, identify network connections and malware C2, analyze kernel rootkits and drivers, extract browser history and clipboard data, and identify code injection and process hollowing.