Skip main navigation

Memory Examination – Static

Article detailing the basics of static Windows memory (RAM) examination/analysis.
© PA Knowledge Ltd | 7Safe Training

Memory Examination – Static

Before we can examine a static copy of the computers memory, we must first make that copy! In order to do this an appropriate program must first be running make that copy. One popular (and free) program used in the forensic community today is called FTK Imager by AcessData. Many other programs free and paid are also available.

Below is a snippet of a process listing taken from a static memory dump of a computer obtained using FTK Imager:

Screenshot of Command Prompt with a Volatility process tree listing.

The program used to obtain the above process (tree) listing is called Volatility. It can be seen that similar process related information is available as traditional tools that can be used on a live system (detailed in the previous section). Note the hexidecimal value before the process name. This refers to the physical memory offset i.e., the physical location the data resides in.

On perusal it can be seen that FTK Imager is running (the tool used to make a copy of the computer memory). Note the highlighted process dodieckinil.ex; it can be seen that this process has zero threads (Thds) and handles (Hnds) which indicates a terminated process. If required, we could extract that terminated process for further analysis. Remember terminated process information or the ability to recover the actual terminated process will not be available using traditional built-in and third party tools on a live system.

Volatility has many different plugins and features that can be used to examine a memory dump for suspicious activity. Information about Volatility can be found here.

Additional information…

What are Processes, Threads and Handles?

An executing program/application will create one or more processes. One or more threads will need to run per process and it is these threads that contain the machine code (instructions) to be processed. The operating system is responsible for allocating the processor time to these process threads. A handle essentially points to and links a logical resource (outside of the actual process memory structure) such as a file or other resource.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education