Have you ever received an image of RAM as part of a forensic case, but didn't really know where to being in the analysis process? To the analyst, RAM is just a large blob of data with minimal structure, at least not the structure that we are expecting to see when it comes to operating systems.

So where do you start? This article talks about the different artifacts that can be found when conducting RAM analysis, and the process one could follow to conduct RAM analysis on a computer intrusion. For the sake of this article, we will define a computer intrusion as any unauthorized access of a computer system. This article includes some helpful tips and tricks that can be used when conducting RAM analysis.

So exactly what is RAM? To quote Wikipedia, “Random Access Memory (RAM) is a form of computer data storage.” This information storage container is volatile, meaning it can easily be flushed and is not used for long term storage. A computer stores information in a memory address, which can later be retrieved by a computer's hardware device, or a software application. Any actively used information or data by a computer program or hardware device will run through the system's RAM at the time it is being used. This is what makes RAM so important when conducting computer forensics. So why is RAM analysis not a part of every computer forensic investigation? There are two main reasons.

1. Procedural: Is it okay for law enforcement or first responders to introduce artifacts to the computer system? For RAM to be acquired the target system has to be running and a collection program has to be introduced to the computer system and executed, hence leaving an acquisition footprint. With the advances in malware technology, acquisition of RAM might provide the only evidence that a crime or intrusion was committed. Over time the court system will begin to adopt the fact that law enforcement or first responders have introduced footprints onto the target system during RAM acquisition. Documentation by those conducting the acquisition is key.
2. Physical: If the computer is shutdown the contents of RAM have been flushed from the computer wiping away all active information in the RAM.

This article focuses on what can be found when conducting RAM analysis and the process flow that a forensic analysis might take when conducting an investigation. RAM artifacts include any piece of data that is used by a software application or hardware device. Depending on the forensic case being investigated, the list of possible artifacts obtained from a running computer could be quite large. Any input or output from a computer program will travel through memory. Its stay in RAM will depend on the size of the RAM and the computer’s need to place new information in previously occupied, but no longer used, sections of RAM. The section below contains a sample of nine types of artifacts that can be found on a running computer system, and why their existence is important to forensic analysis. This list is by no means exhaustive.