Process Memory

RAM is the most volatile evidence source on a live Windows system. It holds an unprecedented snapshot of decrypted payloads, active network connections, injected shellcode and plaintext credentials that never touch the disk. Mastering memory analysis is essential for identifying threats that leave no trace on storage media.

What are Processes?

A process is the operating system's fundamental unit of execution. It functions as a container for resources including isolated virtual address space, threads, handle tables and security tokens. The kernel tracks these through internal structures known as the EPROCESS block. A full memory image exposes the raw EPROCESS chain, the VAD tree describing mapped regions and the PEB (Process Environment Block) which holds loaded DLLs, command-line arguments and environment variables. Processes also inherit from their parent — a relationship central to forensics. System processes spawning unexpected shells (like winword.exe spawning cmd.exe) are immediate indicators of compromise.

What is Process Memory?

Every process operates inside a private virtual address space mapped to physical RAM pages via kernel-managed page tables. A typical layout contains the executable image, the heap for dynamic allocations, the stack for local variables and private memory regions for manual allocations. Memory regions marked as Read-Write-Execute (RWX) are critical red flags often indicating injected shellcode or decoded malware. While the OS can page unused data to the pagefile on disk, active memory contains the most recent and relevant artifacts.

What are Process Memory Strings?

Strings are sequential runs of printable characters found in memory. Even compiled or obfuscated binaries reveal their secrets at runtime when they unpack payloads, decrypt configurations or resolve C2 hostnames. Extraction targets ASCII and Unicode formats using a minimum length threshold to filter noise. This is exceptionally powerful because decryption happens in RAM — while a disk artifact may be encrypted or packed, the memory artifact exists in plaintext.

What Types of Memory Dumps Exist?

The scope of what is captured determines which evidence is available for analysis:

• Full Physical Memory Dump: Captures every byte of RAM including kernel structures, driver code and cached file data — the gold standard for full visibility.
• Minidump (.dmp): A compact process snapshot including threads, loaded modules and a slice of the heap — generated automatically by Windows during crashes.
• Process Memory Dump: A targeted extraction of a single process's virtual address space. Ideal for analyzing specific suspicious applications.
• Hibernation File (hiberfil.sys): A forensic goldmine that preserves the contents of RAM on disk during hibernation and survives reboots.
• Page File (pagefile.sys): Contains data swapped out of RAM. Carved strings can recover artifacts from processes that ended hours earlier.

What Evidence Can We Get from Process Memory Strings?

Memory strings provide insights that no disk artifact, log or registry key can offer:

• Credentials: Plaintext usernames, NTLM hashes and Kerberos tickets cached in LSASS or authenticated process memory.
• Command-Line Arguments: The exact parameters passed to a process at launch preserved in the PEB.
• Decrypted Payloads: Malware decoded in memory after bypassing disk-level packing or encryption.
• C2 Infrastructure: Infrastructure domains, IP addresses and URI paths resolved before network transmission.
• Encryption Keys: Symmetric keys held in memory by ransomware during the encryption phase.
• Injection Artifacts: Traces of reflective loading or process hollowing found in host address spaces.
• Browser Data: Session cookies, form history and authenticated session tokens held in browser memory.
• IPC Content: Named pipe names and COM interface strings used for lateral movement.
• Anti-Forensic Indicators: Signature strings from tools designed to erase disk-based logs that leave footprints in RAM.