What is memory forensics?

Memory forensics is the acquisition and analysis of a system's random access memory (RAM). It provides visibility into transient information that is otherwise absent from persistent storage. This includes kernel structures, process execution trees, loaded DLLs, active network sockets, in-memory registry hives, and injected code segments.

Over the years, memory forensics has become a major plank of cybersecurity research, becoming crucial for functions such as discovering stealthy malware like rootkits or other sophisticated cyber attacks.

“Memory forensics is the analysis of a computer's live, volatile memory, or RAM,” explains Jack Hughes, director of digital forensics and incident response for EMEA at Palo Alto Networks’ Unit 42.

“The key characteristic of memory is that it is volatile. Unlike hard drive data, this information is ephemeral – it can be lost the moment a computer loses power. From a single memory collection, we can extract a huge amount of evidence, like running system processes, active network connections, recent commands, and even sensitive data such as passwords or encryption keys.”

This ability to capture a live snapshot of system activity has elevated memory forensics from a supporting role in digital investigations to a frontline technique for uncovering advanced attacks. Hughes pointed out that traditional methods often fall short in detecting fileless malware – malicious code that never touches disk and instead resides entirely in RAM. He told ITPro, “Hard disk forensics tells part of the story based on files present on a system. Still, memory forensics goes deeper, answering questions such as who the system was talking to, what commands were being executed, and what data was being accessed at the moment of compromise.”

This ability to capture a live snapshot of system activity has elevated memory forensics from a supporting role in digital investigations to a frontline technique for uncovering advanced attacks. Hughes points out that traditional methods often fall short in detecting fileless malware, malicious code that never touches disk and instead resides entirely in RAM.

“Hard disk forensics tells part of the story based on files present on a system,” Hughes tells ITPro. “Still, memory forensics goes deeper, answering questions such as who the system was talking to, what commands were being executed, and what data was being accessed at the moment of compromise.”

Jess Burn, principal analyst at Forrester Research, adds that this focus on live system data is especially important for identifying rootkits, a class of threat engineered to avoid detection.

“Threats like rootkits are designed to live and hide in a computer’s memory/RAM, not on the hard drive,” Burn explains to ITPro. “Disk-based forensics might miss them entirely, since rootkits and other stealthy malware can avoid saving files or leaving obvious traces on storage hardware. By looking directly at the memory, investigators can catch these threats in action, even if they are invisible to older, disk-focused tools.”

This is a core advantage of using memory forensics in cybersecurity research and response roles, as it reveals the inner workings of malicious code that would otherwise remain hidden. Hughes adds that rootkits can be difficult to pinpoint using traditional tools for uncovering threats and can even alter the information given by an operating system or endpoint detection and response (EDR) solution.

“While a rootkit can hide a process from Task Manager or a security tool, it’s very difficult to erase its data structures from live memory without crashing the system. Using memory analysis, we can spot the tell-tale signs of a rootkit that are invisible on the disk, such as hidden processes unlinked from the OS process lists, hooked system calls, or code injected into legitimate processes.”

How memory forensics became "the first line of investigation"

The practice of memory forensics has developed significantly over the last decade. In the early days, investigators often relied on memory analysis to recover passwords or encryption keys that could unlock encrypted containers like TrueCrypt volumes; sometimes the only way to access crucial evidence.

Adam Grinberg, incident response director at Sygnia, describes how early applications were often limited to extracting simple volatile data such as running processes, network connections, and loaded DLLs. Now, memory forensics plays a central role in enterprise security operations.

“Over the last decade, memory forensics has shifted from manual capture and analysis of single, full memory dumps to a more automated, remote, and scalable approach,” Grinberg tells ITPro. Commercial solutions, open source projects, and even native system tools have emerged to streamline collection and analysis. Grinberg adds that in cloud and virtual environments, memory forensics increasingly integrates with broader detection and response systems, linking into security information and event management (SIEM), security orchestration, automation, and response (SOAR), and related platforms to support faster and more convenient security operations.

Hughes also highlights this transition: “Memory forensics was once used to support traditional ‘dead-box’ disk forensics. Today, memory analysis is the first line of investigation, especially since modern threats live in memory to evade disk-based detections. It helps answer the question, ‘What is the attacker doing right now?’ by revealing the live processes of an attack, network connections of remote management tooling, or active commands.”

Scaling memory forensics in the enterprise

While the insights provided by memory forensics are invaluable, applying them across thousands of endpoints is challenging. According to Hughes, manual memory acquisition and analysis at scale is simply not practical. Instead, enterprise teams rely on automation through EDR tools that monitor memory in real time. These tools focus on high-level events such as process creation, parent-child relationships, and suspicious API calls to provide broad visibility.

“If something suspicious is detected, the EDR can trigger a playbook to isolate the endpoint, initiate memory acquisition, automatically search for indicators of compromise, and then provide the results for an analyst to review,” Hughes says. Automation, he explains, has turned memory forensics into a day-to-day function within security operations, particularly as it becomes embedded in extended detection and response (XDR) platforms.

As organizations move to cloud-native infrastructure, the traditional practice of pulling hardware-level memory images has had to adapt. Grinberg notes that cloud providers often provide their own built-in monitoring and security stacks, eliminating the need for direct memory captures in many cases. However, the available features are highly vendor-specific.

Memory forensics in the cloud often involves creative alternatives, such as capturing virtual memory snapshots, working with providers for detailed audit logs, or relying on advanced telemetry to spot malicious activity. “Advanced audit logs from services like Google Cloud or AWS, for example, can track all access to sensitive data or record attempts to break through network barriers,” Burn adds. While not as flexible as on-premises approaches, adapting forensic methods to cloud realities is critical as adoption accelerates.

Memory forensics has evolved from a niche technique for supplementing disk-based investigations into a cornerstone of modern cybersecurity. Its ability to expose stealthy, memory-resident threats like rootkits and fileless malware makes it indispensable for security teams. With automation enabling analysis at scale and cloud providers offering new ways to capture volatile data, memory forensics is no longer just about catching what disk forensics misses. Rather, it has become one of the most direct ways to understand what an attacker is doing in real time.