Skip main navigation

Memory Examination – Static

Article detailing the basics of static Windows memory (RAM) examination/analysis.
© PA Knowledge Ltd | 7Safe Training

Memory Examination – Static

Before we can examine a static copy of the computers memory, we must first make that copy! In order to do this an appropriate program must first be running make that copy. One popular (and free) program used in the forensic community today is called FTK Imager by AcessData. Many other programs free and paid are also available.

Below is a snippet of a process listing taken from a static memory dump of a computer obtained using FTK Imager:

Screenshot of Command Prompt with a Volatility process tree listing.

The program used to obtain the above process (tree) listing is called Volatility. It can be seen that similar process related information is available as traditional tools that can be used on a live system (detailed in the previous section). Note the hexidecimal value before the process name. This refers to the physical memory offset i.e., the physical location the data resides in.

On perusal it can be seen that FTK Imager is running (the tool used to make a copy of the computer memory). Note the highlighted process dodieckinil.ex; it can be seen that this process has zero threads (Thds) and handles (Hnds) which indicates a terminated process. If required, we could extract that terminated process for further analysis. Remember terminated process information or the ability to recover the actual terminated process will not be available using traditional built-in and third party tools on a live system.

Volatility has many different plugins and features that can be used to examine a memory dump for suspicious activity. Information about Volatility can be found here.

Additional information…

What are Processes, Threads and Handles?

An executing program/application will create one or more processes. One or more threads will need to run per process and it is these threads that contain the machine code (instructions) to be processed. The operating system is responsible for allocating the processor time to these process threads. A handle essentially points to and links a logical resource (outside of the actual process memory structure) such as a file or other resource.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now