Discussion Forum: Forensics Investigation

the advantage of memory forensics compared to a traditional forensics investigation method.

 
Picture of Abraham Selby
the advantage of memory forensics compared to a traditional forensics investigation method.
by Abraham Selby - Tuesday, 15 December 2020, 4:28 AM
 

Memory forensics can provide unique insights into runtime system activity, including open network connections and recently executed commands or processes.


Memory forensics can provide unique insights into runtime system activity, including open network connections and recently executed commands or processes. In many cases, critical data pertaining to attacks or threats will exist solely in system memory – examples include network connections, account credentials, chat messages, encryption keys, running processes, injected code fragments, and internet history which is non-cacheable. Any program – malicious or otherwise – must be loaded in memory in order to execute, making memory forensics critical for identifying otherwise obfuscated attacks.

As attack methods become increasingly sophisticated, memory forensics tools and skills are in high demand for security professionals today. Many network-based security solutions like firewalls and antivirus tools are unable to detect malware written directly into a computer’s physical memory or RAM. Security teams should look to memory forensics tools and specialists to protect invaluable business intelligence and data from stealthy attacks such as fileless, in-memory malware or RAM scrapers.