Sign In
In this module

MF0.1 Why Memory Forensics Matters

Module 0 · Free
What you already know

You run disk forensics. You triage EDR alerts. You know how to follow a process tree, read an event log, and scope an incident from telemetry. This sub builds on that baseline — it's not going to teach you what an alert is. What it does is reframe where your current methodology reaches its limits and why memory is the evidence source you've been missing.

Operational Objective

DFIR training still treats memory as optional. You're taught to collect with KAPE, parse with EZ Tools, and build your timeline from the filesystem. That approach works when the attacker wrote to disk. In 2026, most of the ones that matter don't.

Modern attackers run payloads reflectively in PowerShell, inject into signed processes, harvest credentials out of LSASS without copying a file, and persist through WMI and scheduled tasks that load their real payload at runtime. If your methodology treats memory as a specialist tool you reach for when disk analysis fails, you will reach wrong conclusions on exactly the cases you need to get right — the ones that go to legal, insurance, or regulator.

This sub sets up why memory forensics isn't niche, when it's mandatory, and what this course will build.

Deliverable: You'll leave with the four attack categories where memory is the decisive evidence, the four operational triggers that make memory acquisition mandatory rather than optional, and a clear view of the three capabilities this course builds — acquisition discipline, structure-level interpretation, and memory-evidence correlation.

Estimated completion: 35 minutes
WHAT DISK SEES VS WHAT MEMORY SEES DISK FORENSICS — WHAT GETS CAUGHT ✓ Executables written to disk ✓ Registry persistence keys ✓ Event logs of completed activity ✓ Prefetch, Amcache, Shimcache ✓ MFT and USN Journal records ✓ Browser history and cache ✗ Reflectively-loaded DLLs ✗ In-memory PowerShell payloads ✗ Cached credentials in LSASS MEMORY FORENSICS — WHAT GETS CAUGHT ✓ Active and recently-terminated processes ✓ Injected code in process memory ✓ Live network connections ✓ Cached credentials and Kerberos tickets ✓ Command-line history buffers ✓ Kernel rootkit structures ✓ Clipboard contents ✓ Decrypted data for running applications ✓ DLL injection and process hollowing Disk persists. Memory captures the instant but disappears at shutdown.

Figure 0.1.1 — Disk and memory forensics are complementary, not interchangeable. Each sees what the other cannot. Any attack designed to evade disk-based detection is, by definition, visible only in memory.

The disk is not the evidence

This section reframes the default DFIR mental model. Take from it the specific claim you make every time you collect only the disk — and why that claim has gone stale.

The disk is one class of evidence. The memory is another.

If you collect only the disk, you're making an implicit claim — that everything you need to prove was written to the filesystem by a cooperating attacker. That claim was roughly true in 2010. It isn't true now.

Modern attackers design their tooling to avoid disk writes because they know disk is what gets investigated. They run loaders in memory. They inject into legitimate processes. They harvest credentials without copying the credential file. They execute through PowerShell reflection, WMI subscriptions, and scheduled tasks that pull their real payload from a remote host at runtime. If you collect only the disk, you collect only the evidence the attacker left for you.

The shift didn't happen overnight. As endpoint tools got better at catching disk-based malware, attackers adapted.

PowerSploit made reflective PE injection a commodity in 2014. Mimikatz commoditised in-memory credential theft in 2015. By 2018 living-off-the-land binaries were a tradecraft category of their own — why write a custom binary when certutil.exe and mshta.exe are signed by Microsoft and will happily load a remote payload?

Recent intrusion reports from Mandiant, CrowdStrike, and the NCSC consistently show in-memory techniques in 70%+ of cases. If you learned DFIR in 2015 and haven't updated, you're investigating a decade-old threat landscape.

Four attack categories where memory is the decisive evidence

The four categories below are the vocabulary for scoping a memory engagement. When management asks why memory forensics is needed for this case, you answer from these four.

Four categories of attacker tradecraft produce investigations where memory is the deciding evidence. Disk can show you fragments. Memory shows you the whole picture.

Fileless malware. Code that executes without being written to disk. The delivery vehicle — an email attachment, an exploited document, a malicious ad — exists on disk. The payload itself doesn't.

PowerShell loads a base64-encoded DLL straight into its own address space via Invoke-Expression. A Word macro resolves a reflective loader and runs it. Shellcode delivered through an Office exploit executes inside WINWORD's process.

The disk contains the delivery vehicle. The memory contains the payload, its configuration, what it's already done, and the C2 it's talking to.

Here's what that looks like in practice. A Northgate Engineering finance workstation gets an alert from Defender for Endpoint for anomalous PowerShell behaviour. The disk tells you the email arrived, the attachment opened, a macro ran, and a PowerShell process started with an encoded command line. The EDR tells you the PowerShell process made outbound connections to an unfamiliar IP.

All true, all useful — and all of it is preamble. The interesting question is what the payload actually is, and the disk doesn't answer that.

$ vol -f workstation-mem.raw windows.pstree
# Shows WINWORD.EXE → powershell.exe → powershell.exe
# The chain the event log already implied. Memory confirms it was alive
# at acquisition and shows the child PowerShell that the log may not
# have captured cleanly.

$ vol -f workstation-mem.raw windows.malfind --pid <powershell-pid>
# Finds the reflective payload. A PAGE_EXECUTE_READWRITE region of
# private memory starting 4d 5a 90 00 — the MZ header of a Windows
# executable that doesn't match any DLL on disk. That's the thing the
# disk never saw.

Two commands, two answers the disk couldn't give you. Without them the report reads "PowerShell ran something suspicious and reached out to an IP." With them you have the payload, its C2, and a clean pivot to every other host running the same binary in memory.

In-memory credential theft. LSASS holds cached credentials, Kerberos tickets, DPAPI master keys, and secure strings for running processes. A Mimikatz-equivalent tool dumps them straight from LSASS memory — no file is ever written.

The disk tells you a suspicious process existed. Memory tells you which credentials were actually accessible at that moment, whether they're still valid, and whether the attacker got them.

Living-off-the-land execution. powershell.exe, wmic.exe, rundll32.exe, regsvr32.exe, mshta.exe, cscript.exe — all Microsoft-signed, all on every Windows install, all capable of executing remote payloads in memory.

When an attacker uses them, the disk shows a legitimate binary running a normal-looking command line. Memory shows what that binary actually did — the objects it loaded, the code it injected, the handles it opened.

You can't tell the difference between legitimate sysadmin use and attacker abuse from disk logs alone. Memory tells you what the process was actually doing.

Kernel-level compromise. A rootkit that hooks the system call table hides its own processes from Get-Process, its own files from directory listings, and its own network connections from WFP callouts.

A user-space EDR sees only what the rootkit allows. Disk forensics sees only files the rootkit makes visible. Memory analysis — specifically kernel-object enumeration and pool-tag scanning — sees the rootkit's own structures, because the rootkit can't simultaneously hide them from memory and remain functional.

Expand for deeper context on the tradecraft shift

The attacker-tooling evolution isn't mysterious — it follows the incentives. As EDR signature and behavioural detection caught more disk-based malware, attackers moved up the stack to techniques that left no disk evidence to detect.

PowerSploit (2014) was a turning point — reflective PE injection, previously a bespoke nation-state capability, became a PowerShell script any red team could run. Mimikatz (2015) did the same for credential theft. LOLBin-based execution didn't need a new tool; it needed a new mental model, which emerged around 2018 when defenders started publishing reliable LOLBin inventories.

The effect on investigations is specific and measurable. A 2015 ransomware case was a disk-forensics case — the ransomware wrote a binary, dropped a ransom note, and encrypted files. A 2024 ransomware case starts with initial access through phishing that delivers a loader to memory, lateral movement through Pass-the-Hash using credentials harvested from LSASS in memory, and Cobalt Strike beacons that live entirely in memory until the encryption phase.

The disk forensics of that case only sees the encryption phase — the last ten minutes of a three-week intrusion. Reconstructing the first three weeks requires memory from one of the systems compromised along the way, and most organisations don't have it because their SOC procedure doesn't acquire memory before reimaging.

The point isn't that disk forensics is obsolete. It's that disk forensics alone has become a subset of what modern investigations need, and treating it as sufficient is a methodology that hasn't kept up with attacker tradecraft.

When memory acquisition is mandatory

Four conditions that move memory from optional to required. These are the triggers your SOC procedure should encode so you're not making the call at 03:14 under business pressure.

Memory isn't required for every investigation. A commodity ransomware variant that wrote its executable to disk, a user-reported phishing email with a malicious link that was blocked, a routine alert that turns out to be a false positive — you can resolve these with disk and telemetry alone. Adding memory to every trivial case would grind your SOC to a halt.

The threshold is specific. Memory becomes mandatory, not optional, when any of four conditions are present.

Credentialed-user compromise suspected. If the attacker reached a state where they could authenticate as a user, the investigation has to account for what credentials were accessible, where they've been used since, and whether any session tokens are still live.

Credentials live in LSASS memory, not on disk. You can't answer those questions without memory.

Disk looks clean but telemetry says something's wrong. An EDR fires on process behaviour, a SIEM flags unusual network traffic, a honey-token hits — and disk investigation finds nothing.

That's not a false positive. That's an investigation that has found the attack is memory-resident and hasn't acquired the one piece of evidence that can confirm it.

Attribution matters past "a compromise occurred." Litigation, insurance claims, regulatory notification, HR proceedings — any of these need specific claims about what was accessed, what credentials were taken, what systems were reached.

For any attack involving memory-resident components, those claims can't be reconstructed from disk alone. If your conclusion is going to be challenged by someone else's expert witness, you need the memory.

Incident may recur. Persistence that lives entirely in memory — a WMI event consumer that re-injects a payload, a scheduled task that reloads from a remote host — survives reimaging if you don't address the reinfection vector.

Disk shows you reinfection happened. Only memory explains how.

Decision Point

The situation. It's 03:14 on a Thursday. Defender fires on a Northgate Engineering finance workstation for anomalous PowerShell behaviour reaching an unfamiliar IP. You review the disk through live response — no suspicious files, no registry persistence, no unusual scheduled tasks. The endpoint team wants the workstation reimaged inside the hour; the finance controller has a 09:00 board-pack deadline.

The choice. Authorise the reimage now on the basis that nothing was found on disk, or pause for twenty to thirty minutes to acquire memory before reboot.

Reimage destroys any evidence of what the PowerShell actually did, what credentials it touched, and whether it spread. Acquisition introduces a deadline conflict you'll have to defend to stakeholders who see the alert as contained.

The correct call. Acquire, every time in this fact pattern. EDR firing without corresponding disk evidence is the canonical trigger for memory forensics, and the only evidence that can answer "what did it do" is the RAM of the running workstation.

The operational lesson. You can't make this call in the moment at 03:14 under pressure. Your standing SOC procedure has to pre-authorise acquisition on this trigger so you aren't negotiating evidence preservation against a business deadline when you're half-awake. If the decision requires real-time escalation, you'll lose.

Compliance Myth: "EDR telemetry replaces the need for memory forensics"

The myth. Modern EDR — Defender for Endpoint, CrowdStrike Falcon, SentinelOne — collects detailed behavioural telemetry. Process creation, network connections, file access, script execution. If your EDR captures what's happening in memory, you don't need to acquire memory separately.

The reality. EDR captures observations of memory-resident activity. Memory forensics captures the memory itself. They are not interchangeable.

When EDR shows PowerShell started with an encoded command line, that's an observation. When memory analysis extracts the decoded payload from the PowerShell process's heap, identifies it as a specific credential-stealer, pulls its C2 endpoint from its configuration, and recovers the credentials it had already harvested — that's evidence. EDR tells you something happened that needs investigating. Memory tells you what happened, what was taken, and what the attacker's infrastructure looks like.

There's also a second problem. Sophisticated attackers target EDR specifically. Kernel-level rootkits, userland unhooking, direct syscalls — all of these produce telemetry gaps that are invisible to you if you're only looking at what the EDR reported.

Running an investigation purely from EDR data trusts that the EDR saw everything worth seeing. Memory is how you verify what the EDR missed.

What this course builds

Three capabilities, each a prerequisite for the next. The course sequence follows this order — acquire, interpret, correlate — and every module fits into one of the three.

Three capabilities, each one a prerequisite for the next.

Memory acquisition discipline. The ability to acquire memory from Windows and Linux systems in a way that preserves evidence integrity and survives legal scrutiny.

Memory is the most volatile forensic evidence you deal with. It exists only while the system is running, it changes with every CPU cycle, and it's gone at shutdown. Getting acquisition right — tool selection, verification, chain-of-custody documentation — is the foundation. No amount of analysis skill compensates for a capture that won't stand up in court.

Structure-level memory interpretation. Reading a memory image at the OS structure level, not just the plugin-output level.

Volatility 3 is a good tool. Like every tool, it has edge cases, version-specific behaviours, and parser limitations. If you understand the underlying structures — EPROCESS, ETHREAD, VAD, task_struct, cred — you can validate tool output, recognise anomalies tools miss, and interpret evidence plugins don't yet exist for.

This is the capability that separates a practitioner who runs Volatility from one who knows when Volatility is wrong.

Memory-evidence correlation. Integrating what memory shows with disk, network telemetry, and event logs into a unified timeline.

Memory alone gives you instant-in-time evidence. Disk alone gives you durable evidence. Network telemetry alone gives you external observation. None is enough on its own.

The defensible investigation uses all three, with memory as the primary source for anything that happened in-process during the acquisition window.

Next

MF0.2 — What Lives in Memory That Isn't on Disk. You've established why memory matters. MF0.2 gives you the taxonomy — the three categories of memory-resident evidence (volatile kernel structures, ephemeral process data, transient network and handle state) that every subsequent module will reference. Once you have the taxonomy, the rest of the course is organised by it.

Try it: recall the four mandatory acquisition triggers without notes

Close this page. Open a blank document. Write down, from memory, the four conditions under which memory acquisition moves from optional to mandatory. For each condition, add one sentence on why disk and telemetry alone can't resolve an investigation that hits that trigger.

When you've written what you can recall, check your list against the "When memory acquisition is mandatory" section above.

If you missed one, note which. Most practitioners who miss one miss the same one — attribution beyond "a compromise occurred" — because disk-and-telemetry investigations tend to answer "did it happen" rather than "what specifically happened," so that trigger feels secondary until it isn't.

The operational value of memorising these four is that they're the triggers your SOC procedures should encode. When you propose a memory-acquisition playbook to your SOC lead, you'll be arguing from these four conditions.

Operational Artifact — Memory Acquisition Decision Triggers

Acquire memory when any of the following primary conditions apply. These three account for the majority of operational decisions — if one fires, acquire, no further escalation needed.

1. Credentialed-user compromise suspected. Any indication the attacker reached a state where they could authenticate as a legitimate user, access credentialed resources, or move laterally.

2. EDR or behavioural telemetry fires without corresponding disk evidence. An alert on process behaviour, network anomaly, or memory-resident indicator that doesn't map to an obvious malicious file on disk.

3. Incident may reach legal, regulatory, insurance, or HR proceeding. Anything subject to adversarial review needs the complete evidence chain, and for modern attacks that chain includes memory.

Extended triggers (edge cases) — expand for the remaining four

4. PowerShell, WMI, or LOLBin execution observed in a suspicious pattern. Any indication that legitimate system tools were used in a way consistent with attacker activity rather than normal administration.

5. Disk investigation confirms attack but can't answer "what did the attacker actually do." You've proven compromise occurred but can't show what was executed, accessed, or exfiltrated.

6. Persistence mechanism suspected but not found on disk. Reinfection after remediation, or compromise that predates all disk evidence, both point to memory-resident persistence.

7. Kernel-level compromise suspected. EDR silence combined with behavioural indicators pointing to kernel-level evasion.

Document the trigger condition in your acquisition record. Acquiring proactively when you're uncertain is legitimate — the framework is a floor, not a ceiling. When you do have a documented trigger, it becomes part of your methodology defence if the case ever comes under challenge.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

  • 8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
  • You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
  • MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
  • The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
  • Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →