intermediate

Memory Forensics Basics

Fundamental procedures for capturing and analyzing system memory during incident response.

2-4 hours5 steps9 checklist items

Summary

Introduction to memory forensics for incident responders, covering acquisition and basic analysis.

Step-by-Step Procedure

Pre-Acquisition Preparation

Prepare for memory capture.

Actions

Verify memory acquisition tools are available

Ensure sufficient storage for memory dump

Document system state before acquisition

Plan for minimal system impact

Tools

WinPmemFTK ImagerLiME (Linux)External storage

Memory Acquisition

Capture system memory.

Actions

Run acquisition tool with proper permissions

Capture to external or network storage

Hash the memory dump upon completion

Document acquisition time and method

Analysis Environment Setup

Prepare for memory analysis.

Actions

Install Volatility or similar analysis framework

Identify correct profile for the captured system

Verify dump integrity with hash

Tools

Volatility 3MemProcFSRekall

Basic Analysis

Perform initial memory analysis.

Actions

List running processes

Identify network connections

Check for code injection indicators

Extract suspicious processes for further analysis

Look for malware artifacts

Documentation

Document findings.

Actions

Record all analysis commands and output

Document suspicious findings

Preserve extracted artifacts

Write analysis summary

Completion Checklist

Tools prepared and verified

Memory successfully captured

Dump hashed for integrity

Chain of custody documented

Analysis profile identified

Process list extracted

Network connections analyzed

Suspicious artifacts identified

Findings documented

Evidence to Collect

Memory dump file
Memory dump hash
Analysis tool output
Extracted artifacts
Analysis notes

Join our community to discuss playbooks and share incident response experiences.