Memory forensics is arguably the most fruitful, interesting, and provocative realm
of digital forensics. Each function performed by an operating system or application
results in specific modifications to the computer’s memory (RAM), which can often
persist a long time after the action, essentially preserving them. Additionally, memory
forensics provides unprecedented visibility into the runtime state of the system, such as
which processes were running, open network connections, and recently executed commands.
You can extract these artifacts in a manner that is completely independent of the
system you are investigating, reducing the chance that malware or rootkits can interfere
with your results. Critical data often exists exclusively in memory, such as disk encryption
keys, memory-resident injected code fragments, off-the-record chat messages, unencrypted
e‑mail messages, and non-cacheable Internet history records.
