Section 3.2: Why Memory Forensics?

Question 1

Why investigate RAM?

Answer 1

Everything runs through it: processes, threads, malware, network sockets, URLs, IP addresses, open files, passwords, caches, clipboards, encryption keys, hard/software configurations, event logs, and registry eyes.

Question 2

Three exclusive things that only exist in memory and does not write on disk I should be aware of.

Answer 2

Incognito sessions run here, registry keys, and chat applications.