Memory forensics is a vital form of cyber investigation that allows an investigator to identify unauthorized and anomalous activity on a target computer or server. This is usually achieved by running special software that captures the current state of the system’s memory as a snapshot file, also known as a memory dump. This file can then be taken offsite and searched by the investigator.

This is useful because of the way in which processes, files and programs are run in memory, and once a snapshot has been captured, many important facts can be ascertained by the investigator, such as:

• Processes running
• Executable files that are running
• Open ports, IP addresses and other networking information
• Users that are logged into the system, and from where
• Files that are open and by whom

Already we can see how much this information can help an investigator as they seek out system anomalies, and by being able to capture the volatile information inside the system’s memory, they are able to create a permanent record of the system’s state as it was.

This means that suspicious programs such as computer viruses and malware can be tracked down in a lab environment and traced back to the source if possible. This is vital in instances where malware leaves no trace of its activity on a target system’s hard drive, making memory forensics especially important as a means to identify such activity.