Digital Forensic Memory Analysis – Volatility

A very powerful tool, used to analyze the contents of memory (RAM) from suspect computers. The examiner will take a ‘snapshot’ or ‘image’ of the contents of the target PC’s RAM memory while the machine is still running. Once the image file of the RAM contents has been secured, the Volatility tool analyzes the contents and renders the data into a readable form.

This tool is vital to a thorough examination, as it shows investigators what was taking place on the target PC at the time of capture. We can view what programs were running, what network connections were open (and closed) and many other bits of evidence that can be used to prove a case in a court of law.

Knowing which websites were connected at any given time, along with what programs were running, can lead investigators to resolution of computer virus damage, Malware attacks, and acquisition of other pertinent evidence. Info gleaned from memory can point to other possibly compromised network assets etc.

I have been using Volatility for quite some time now as it is a component or ‘module’ in the Autopsy Software Suite. There are some updates I need to study up on, hence this post.

Return To The Front

Author: K6HR

Licensed since 1994. Active on HF / VHF / UHF / Satellite.