Authors: Lisa Rzepka, Benedikt Mader, Zinaida Benenson, Harald Baier
DFRWS USA 2026
Abstract
In order to detect, mitigate, and respond to stealthy attacks, such as Living off the Land (LOTL) and fileless malware, an in-depth analysis of the affected main memory is unavoidable. While live analysis provides initial insights into malicious activity, acquiring and analyzing a main memory dump offers a more substantial and deeper view of the system. However, acquiring main memory is a complex task that often leads to inconsistencies. Although this is common knowledge, the forensics community currently lacks details about the actual usage of main memory forensics and its pros and cons. To remedy this blind spot, this paper presents the results of a survey conducted with memory forensics practitioners. Based on 31 comprehensively answered questionnaires we gain insights into preferred methods of memory acquisition (i.e., kernel-level software) and related concerns (i.e., system crashes during dumping). With respect to memory analysis, common use cases include obtaining information about processes, network connections as well as indicators of malware on the system. Although inconsistencies in a memory dump are rather common, the survey reveals that the correctness of a memory dump is postulated rather than thoroughly tested. Hence, as a step toward more reliable memory acquisition, we point out key issues during software-based memory dumping.