Full Memory Dump
Location
Acquired via live capture (RAM)Description
Complete physical memory image of the running system capturing all active processes, kernel structures, network connections, loaded DLLs, injected code, and decrypted data.
Forensic Value
Memory analysis is the only reliable method to detect fileless malware, process injection, and reflective DLL loading that leave no disk artifacts. Active network connections with owning process context, decrypted credential material from LSASS, and in-memory-only scripts are all recoverable. Volatility profiles can reconstruct the full process tree, open handles, and loaded modules.
Tools Required
Collection Commands
DumpIt
DumpIt.exe /OUTPUT C:\output\memory.dmp
WinPmem
winpmem_mini_x64.exe C:\output\memory.raw
Magnet RAM Capture
MagnetRAMCapture.exe (GUI - select output path and capture)
Volatility 3
vol.py -f memory.raw windows.pslist.PsList
Collection Constraints
- •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
- •Live-state evidence is volatile. Collect it before reboot, containment, or power loss whenever legal and operational constraints allow.
MITRE ATT&CK Techniques
Used in Procedures
Volatile Memory Capture
preserve
Analyze Ransom Note and Variant Identification
triage
Assess Decryption Options (Backups, Keys, Tools)
recover
Document Chain of Custody for All Collected Evidence
preserve
Preserve VSS Shadow Copies and Encryption Timing Artifacts
preserve
Review Ransomware Resilience and Backup Isolation Failures
post-incident
Analyze the Supply-Chain Backdoor Payload
analyze
Related Blockers
BitLocker/Encrypted Drives Preventing Forensic Imaging
Full-disk encryption (BitLocker, FileVault, LUKS) prevents mounting or imaging the drive without the recovery key. Without decryption you cannot access the filesystem for artifact collection.
Compromised Systems Powered Off or Disconnected
Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.
Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked
Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.
Systems Already Rebooted -- Volatile Data Lost
The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.
Host Wiped Before Forensic Acquisition
The compromised host has been zeroed or securely wiped (DBAN, `dd if=/dev/zero`, `sdelete`, `shred`) before forensic imaging could begin. Traditional filesystem-carving techniques recover limited content; the investigation must pivot to peer-host artifacts, network telemetry, and cloud/identity records that survived the wipe.
Fileless Malware With Minimal On-Disk Footprint
The suspected malware runs primarily in memory with minimal or no on-disk persistence. Traditional file-hash IoC hunts return empty, and disk-image analysis misses the active payload. Response must pivot to memory forensics, ETW, PowerShell script-block logging, and AMSI telemetry.
Evidence Chain of Custody Compromised
Evidence handling has gaps or integrity issues (missing hash verification, broken custody log, unauthorized access to evidence storage, transfers without documented handoffs). Evidence may still be technically useful but legal admissibility is compromised; pivot to secondary preservation and early legal assessment.
Investigation Requires Air-Gapped Network Access
The affected systems are on an isolated network segment with no connectivity to standard IR tooling (EDR management plane, SIEM, evidence-transfer channels). Acquisition and analysis must happen via physical media or through carefully-controlled trusted-transfer workflows that do not breach the air gap.
Evidence Spans Multiple Jurisdictions with Conflicting Laws
Affected systems or data span multiple countries with differing data-protection, breach-notification, and cross-border transfer laws (GDPR, data-residency rules, PIPL, LGPD, state-level US laws). Acquisition and analysis that is lawful in one jurisdiction may be unlawful in another. Engage legal counsel early and plan in-region processing.
Law Enforcement Requested Investigation Pause
A law-enforcement agency (FBI, Secret Service, Europol, national police cybercrime unit) has requested that the organization pause or slow-walk active investigation, containment, or notification steps while they pursue their own investigation. This creates tension between legal obligations to customers/regulators and cooperation with LEA.
Incident Responder Credentials Compromised
The attacker has compromised credentials belonging to a member of the incident response team or to privileged tooling used for the response (EDR console, SIEM, forensic-evidence storage). This is a worst-case blocker: the adversary may be monitoring the response in real time and can exfiltrate evidence or alter it.
Compromised Vendor Artifact Provenance Lost
The compromised software was distributed through a legitimate channel (update server, package registry) but the vendor cannot or will not produce the exact pre-compromise build artifacts, build manifests, or signing-chain evidence needed to validate provenance. Without that baseline, it is difficult to definitively identify what was malicious versus legitimate in the distributed artifact.