My Opinion: Memory Forensics and DFIR

My Opinion: Memory Forensics and DFIR

There is no way for adversaries to hide!



My personal take on memory forensics and DFIR.


After studying digital forensics and incident response over the last year, I have to say that I’m very amazed at the processes that make up DFIR. Adversaries may think that they can get away clean but with memory forensics it’s almost impossible for attackers to escape out of the system without leaving a trace. There will be artifacts left behind for the DFIR investigator to discover and a timeline of events in order to piece together what happened during a data breach of the network.

As experts in the field of digital forensics and incident response, we have to know what’s normal to find evil within the system. We must dedicate a good amount of time to studying and labbing in order to properly prepare for data breaches and resolve them because they will happen eventually unfortunately.  SANS offers by far the best DFIR training across the board but they are the most expensive company to use for this training. We can definitely prepare for tomorrow but doing the work that’s needed today.




Incident Response: What is it and why it’s needed?

Incident Response: What is it and why it’s needed?

Incident Response


What is incident response?


Incident response is the methodology an organization uses to respond to and manage a cyberattack. An attack or data breach can cause business disrupting damage. An incident response aims to reduce this damage and recover as quickly as possible. Digital forensics Investigation is also a key component in order to learn from the attack and better prepare for the future. Digital can assist with moving the incident response process along faster. 

Why is a incident response plan needed? 

A incident response plan is a critical part of a successful security program. A successful incident response can help mitigate damage caused by data breaches or malware attacks. According to an article written on the forcepoint website, “As the cyberattacks increase in scale and frequency, incident response plans become more vital to a company’s cyber defenses. Poor incident response can alienate customers and trigger greater government regulation”. 


The NIST Incident Response Process contains four steps:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Incident Activity

Memory Forensics and Incident Response: Why it’s needed.

Memory Forensics and Incident Response: Why it’s needed.

Memory forensics and why it’s so important to incident response

Memory Forensics is the process of analyzing volatile data living within a computer’s memory dump. Everything in the computer system move across RAM (Random Access Memory). 

  • Processes and threads
  • Malware 
  • Network Sockets, URLs, IP Address
  • Open Files 
  • User – generated content 
  • Passwords, caches, clipboards
  • Encryption Keys 
  • Hardware and Software configuration 
  • Windows registry keys and event logs 

RAM handles communication and enables things to get done between the CPU, Operating system. There are big advantages to conducting memory analysis like identifying malicious software activitiy, analyzing and tracking recent activity on the system and also collecting evidence that cannot be found anywhere else (Super value). 

As you can see, It will be very difficult for malicious actors to get away cleanly with so many foot prints left in memory.