Forensics: What data can you find in RAM?

To determine if you need to collect Random Access Memory on-scene, it is useful to know what kinda of investigation-relevant data is often available in RAM. Random Access Memory forensics starts with acquiring RAM from a live (turned on) system. There are several ways to collect the contents of RAM from a computer. Almost all of them require Live Data Forensics, a type of forensic practice that deals with computers or devices powered on, and the data is changing. Thank you to our Members and Patrons, but especially to TheRantingGeek, Roman, Alexis Brignoni, Lorie Hermesdorf, Steven Lorenz, Steffen Luithardt, pjs, Carlos E Gallo Monteiro, and OkiePioneerWoman! Thank you so much! To do Live Data Forensics of any kind, you need to know how Random Access Memory works, how it changes, and how your actions on the target system will affect possible evidence in RAM (and on a hard drive). 00:00 What data is in RAM? 01:18 Programs and file access 02:15 Opened files and file locations 03:43 Typed input 04:40 Opened web pages 05:34 Web page contents 06:01 Decrypted content 06:33 Content no longer on disk 06:46 Content never on disk 08:30 Network traffic https://bit.ly/2Ij9Ojc - 👍 Subscribe for weekly videos ❤️ Get early access and bonus content - https://bit.ly/DFIRSciMember Links: 🚀 5% off FULL COURSE on RAM Acquisition and Analysis (https://learn.dfir.science/courses/RAM-Forensics-Tutorial?coupon=YOUTUBERAM5) Related book: * Practical Malware Analysis (https://amzn.to/3OqYeEk) * Operating System Concepts (https://amzn.to/3J0AJ3T) #forensics #infosec #ram 010001000100011001010011011000110110100101100101011011100110001101100101 Get more Digital Forensic Science 👍 Subscribe → https://bit.ly/2Ij9Ojc ❤️ YT Member → https://bit.ly/DFIRSciMember ❤️ Patreon → https://www.patreon.com/dfirscience 🚀 Forensic Courses → https://learn.dfir.science 🕸️ Blog → https://DFIR.Science 🤖 Code → https://github.com/DFIRScience 🐦 Follow → https://www.twitter.com/DFIRScience 📰 DFIR Newsletter → https://bit.ly/DFIRNews 010100110111010101100010011100110110001101110010011010010110001001100101 Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Please link back to the original video. If you want to use this video for commercial purposes, please contact us first. We would love to see what you are doing.