{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,18]],"date-time":"2026-05-18T10:21:11Z","timestamp":1779099671363,"version":"3.51.4"},"reference-count":75,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T00:00:00Z","timestamp":1658275200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000015","name":"U.S. Department of Energy","doi-asserted-by":"publisher","award":["DE-AC52-07NA27344"],"award-info":[{"award-number":["DE-AC52-07NA27344"]}],"id":[{"id":"10.13039\/100000015","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"<jats:p>The collection and analysis of volatile memory is a vibrant area of research in the cybersecurity community. The ever-evolving and growing threat landscape is trending towards fileless malware, which avoids traditional detection but can be found by examining a system\u2019s random access memory (RAM). Additionally, volatile memory analysis offers great insight into other malicious vectors. It contains fragments of encrypted files\u2019 contents, as well as lists of running processes, imported modules, and network connections, all of which are difficult or impossible to extract from the file system. For these compelling reasons, recent research efforts have focused on the collection of memory snapshots and methods to analyze them for the presence of malware. However, to the best of our knowledge, no current reviews or surveys exist that systematize the research on both memory acquisition and analysis. We fill that gap with this novel survey by exploring the state-of-the-art tools and techniques for volatile memory acquisition and analysis for malware identification. For memory acquisition methods, we explore the trade-offs many techniques make between snapshot quality, performance overhead, and security. For memory analysis, we examined the traditional forensic methods used, including signature-based methods, dynamic methods performed in a sandbox environment, as well as machine learning-based approaches. We summarize the currently available tools, and suggest areas for more research.<\/jats:p>","DOI":"10.3390\/jcp2030028","type":"journal-article","created":{"date-parts":[[2022,7,20]],"date-time":"2022-07-20T11:22:24Z","timestamp":1658316144000},"page":"556-572","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":35,"title":["The Evolution of Volatile Memory Forensics"],"prefix":"10.3390","volume":"2","author":[{"given":"Hannah","family":"Nyholm","sequence":"first","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Kristine","family":"Monteith","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Seth","family":"Lyles","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Micaela","family":"Gallegos","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Mark","family":"DeSantis","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"John","family":"Donaldson","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Claire","family":"Taylor","sequence":"additional","affiliation":[{"name":"Lawrence Livermore National Laboratory, Livermore, CA 94550, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2022,7,20]]},"reference":[{"key":"ref_1","unstructured":"(2022, July 12). Cyberattacks 2021: Statistics from the Last Year. Available online: https:\/\/spanning.com\/blog\/cyberattacks-2021-phishing-ransomware-data-breach-statistics\/."},{"key":"ref_2","unstructured":"(2022, July 12). What Is Fileless Malware?. Available online: https:\/\/www.trellix.com\/en-us\/security-awareness\/ransomware\/what-is-fileless-malware.html."},{"key":"ref_3","unstructured":"WatchGuard Technologies, I. (2022, July 12). New Research: Fileless Malware Attacks Surge by 900% and Cryptominers Make a Comeback, While Ransomware Attacks Decline. Available online: https:\/\/www.globenewswire.com\/news-release\/2021\/03\/30\/2201173\/0\/en\/New-Research-Fileless-Malware-Attacks-Surge-by-900-and-Cryptominers-Make-a-Comeback-While-Ransomware-Attacks-Decline.html#:~:text=Among%20its%20most%20notable%20findings,in%202020%20compared%20to%202019."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"56","DOI":"10.1016\/j.diin.2019.01.001","article-title":"A universal taxonomy and survey of forensic memory acquisition techniques","volume":"28","author":"Latzo","year":"2019","journal-title":"Digit. Investig."},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1016\/j.diin.2011.06.002","article-title":"A Survey of Main Memory Acquisition and Analysis Techniques for the Windows Operating System","volume":"8","author":"Freiling","year":"2011","journal-title":"Digit. Investig."},{"key":"ref_6","first-page":"88","article-title":"Dynamic Malware Analysis in the Modern Era\u2014A State of the Art Survey","volume":"52","author":"Nissim","year":"2019","journal-title":"ACM Comput. Surv."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1186\/s42400-019-0043-x","article-title":"An emerging threat Fileless Malware: A survey and research challenges","volume":"3","author":"Sudhakar","year":"2020","journal-title":"Cybersecurity"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Taylor, J., Turnbull, B., and Creech, G. (2018, January 27\u201330). Volatile Memory Forensics Acquisition Efficacy: A Comparative Study towards Analysing Firmware-Based Rootkits. Proceedings of the 13th International Conference on Availability, Reliability and Security\u2014ARES 2018, Hamburg, Germany.","DOI":"10.1145\/3230833.3232810"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Sanjay, B., Rakshith, D., Akash, R., and Hegde, V.V. (2018, January 20\u201322). An approach to detect fileless malware and defend its evasive mechanisms. Proceedings of the 2018 3rd International Conference on Computational Systems and Information Technology for Sustainable Solutions (CSITSS), Bengaluru, India.","DOI":"10.1109\/CSITSS.2018.8768769"},{"key":"ref_10","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1016\/j.diin.2016.12.004","article-title":"Memory forensics: The path forward","volume":"20","author":"Case","year":"2016","journal-title":"Digit. Investig."},{"key":"ref_11","doi-asserted-by":"crossref","first-page":"125","DOI":"10.1016\/j.diin.2012.04.005","article-title":"Correctness, atomicity, and integrity: Defining criteria for forensically-sound memory acquisition","volume":"9","author":"Freiling","year":"2012","journal-title":"Digit. Investig."},{"key":"ref_12","doi-asserted-by":"crossref","first-page":"8","DOI":"10.1145\/3310355","article-title":"Introducing the Temporal Dimension to Memory Forensics","volume":"22","author":"Pagani","year":"2019","journal-title":"ACM Trans. Priv. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Aljaedi, A., Lindskog, D., Zavarsky, P., Ruhl, R., and Almari, F. (2011, January 9\u201311). Comparative Analysis of Volatile Memory Forensics: Live Response vs. Memory Imaging. Proceedings of the 2011 IEEE Third International Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third International Conference on Social Computing, Boston, MA, USA.","DOI":"10.1109\/PASSAT\/SocialCom.2011.68"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"S105","DOI":"10.1016\/j.diin.2013.06.012","article-title":"Anti-forensic resilient memory acquisition","volume":"10","author":"Cohen","year":"2013","journal-title":"Digit. Investig."},{"key":"ref_15","unstructured":"Sylve, J. Lime-linux memory extractor. Proceedings of the 7th ShmooCon Conference, Washington, DC, USA."},{"key":"ref_16","unstructured":"Russinovich, M., and Richards, A. (2022, July 12). ProcDump v10.11. Available online: https:\/\/docs.microsoft.com\/en-us\/sysinternals\/downloads\/procdump."},{"key":"ref_17","first-page":"71","article-title":"A Study: Volatility Forensic on Hidden Files","volume":"2","author":"Safitri","year":"2013","journal-title":"Int. J. Sci. Res."},{"key":"ref_18","unstructured":"(2022, July 12). Volatility. Available online: https:\/\/github.com\/volatilityfoundation\/volatility."},{"key":"ref_19","unstructured":"(2022, July 12). GDB. Available online: https:\/\/www.sourceware.org\/gdb\/."},{"key":"ref_20","unstructured":"(2022, July 12). WinDbg. Available online: https:\/\/docs.microsoft.com\/en-us\/windows-hardware\/drivers\/debugger\/."},{"key":"ref_21","unstructured":"(2022, July 12). Visual Studio. Available online: https:\/\/docs.microsoft.com\/en-us\/visualstudio\/debugger\/using-dump-files?view=vs-2022."},{"key":"ref_22","unstructured":"(2022, July 12). VMWare. Available online: https:\/\/www.vmware.com\/."},{"key":"ref_23","unstructured":"(2022, July 12). LibVMI. Available online: https:\/\/github.com\/libvmi\/libvmi."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Jha, S., Sommer, R., and Kreibich, C. (2010). Live and Trustworthy Forensic Analysis of Commodity Production Systems. Recent Advances in Intrusion Detection, Springer.","DOI":"10.1007\/978-3-642-15512-3"},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"22","DOI":"10.1016\/j.diin.2012.04.002","article-title":"Vis: Virtualization enhanced live forensics acquisition for native system","volume":"9","author":"Yu","year":"2012","journal-title":"Digit. Investig."},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"23","DOI":"10.1016\/j.ins.2016.07.019","article-title":"A lightweight live memory forensic approach based on hardware virtualization","volume":"379","author":"Cheng","year":"2017","journal-title":"Inf. Sci."},{"key":"ref_27","unstructured":"Oleksiuk, D. (2022, July 12). Building Reliable SMM Backdoor for UEFI Based Platforms. Available online: http:\/\/blog.cr4.sh\/2015\/07\/building-reliable-smm-backdoor-for-uefi.html."},{"key":"ref_28","unstructured":"(2022, July 12). PCILeech. Available online: https:\/\/github.com\/ufrisk\/pcileech."},{"key":"ref_29","unstructured":"(2022, July 12). Inception. Available online: https:\/\/github.com\/carmaa\/inception."},{"key":"ref_30","doi-asserted-by":"crossref","unstructured":"Cox, G., Yan, Z., Bhattacharjee, A., and Ganapathy, V. (2018, January 19\u201321). Secure, Consistent, and High-Performance Memory Snapshotting. Proceedings of the CODASPY\u201918: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy, Tempe, AZ, USA.","DOI":"10.1145\/3176258.3176325"},{"key":"ref_31","unstructured":"Besler, F., Willems, C., and Hund, R. (2017, January 11\u201316). Countering innovative sandbox evasion techniques used by malware. Proceedings of the 29th Annual FIRST Conference, San Juan, Puerto Rico."},{"key":"ref_32","unstructured":"(2022, July 12). Rekall. Available online: https:\/\/github.com\/google\/rekall."},{"key":"ref_33","unstructured":"(2022, July 12). Cellebrite Inspector. Available online: https:\/\/cellebrite.com\/en\/inspector\/."},{"key":"ref_34","unstructured":"(2022, July 12). FireEye Redline. Available online: https:\/\/www.fireeye.com\/services\/freeware\/redline.html."},{"key":"ref_35","unstructured":"(2022, July 12). Magnet Axiom. Available online: https:\/\/www.magnetforensics.com\/products\/magnet-axiom\/."},{"key":"ref_36","unstructured":"(2022, July 12). WindowsSCOPE. Available online: http:\/\/www.windowsscope.com\/windowsscope-cyber-forensics\/."},{"key":"ref_37","unstructured":"(2022, July 12). Volatility Foundation. Available online: https:\/\/www.volatilityfoundation.org\/."},{"key":"ref_38","unstructured":"(2022, July 12). Volatility Community Plugins. Available online: https:\/\/github.com\/volatilityfoundation\/community."},{"key":"ref_39","doi-asserted-by":"crossref","first-page":"S86","DOI":"10.1016\/j.diin.2017.06.011","article-title":"Gaslight: A comprehensive fuzzing architecture for memory forensics frameworks","volume":"22","author":"Case","year":"2017","journal-title":"Digit. Investig."},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Meyers, C., Ikuesan, A.R., and Venter, H.S. (2017, January 13\u201314). Automated RAM analysis mechanism for windows operating system for digital investigation. Proceedings of the 2017 IEEE Conference on Application, Information and Network Security (AINS), Miri, Sarawak, Malaysia.","DOI":"10.1109\/AINS.2017.8270430"},{"key":"ref_41","unstructured":"Auty, M., and Case, A. (2019, January 15\u201317). Volatility 3 Public Beta: Insider\u2019s Preview. Proceedings of the OSDFCon 2019, Open Source Digital Forensics Conference, Herndon, VA, USA."},{"key":"ref_42","unstructured":"Ligh, M.H., Case, A., Levy, J., and Walters, A. (2014). The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory, John Wiley & Sons."},{"key":"ref_43","doi-asserted-by":"crossref","unstructured":"Cohen, M. (2015, January 6\u20139). Forensic analysis of windows user space applications through heap allocations. Proceedings of the 2015 IEEE Symposium on Computers and Communication (ISCC), Larnaca, Cyprus.","DOI":"10.1109\/ISCC.2015.7405522"},{"key":"ref_44","unstructured":"(2022, July 12). Available online: http:\/\/virustotal.github.io\/yara\/."},{"key":"ref_45","doi-asserted-by":"crossref","first-page":"34","DOI":"10.1016\/j.diin.2017.02.005","article-title":"Scanning memory with Yara","volume":"20","author":"Cohen","year":"2017","journal-title":"Digit. Investig."},{"key":"ref_46","unstructured":"Orgah, A., Richard, G., and Case, A. (2021, January 25\u201326). MemForC: Memory Forensics Corpus Creation for Malware Analysis. Proceedings of the International Conference on Cyber Warfare and Security, Cookeville, TN, USA."},{"key":"ref_47","first-page":"9","article-title":"Compression of Virtual\u2013Machine Memory in Dynamic Malware Analysis","volume":"12","author":"Fowler","year":"2017","journal-title":"J. Digit. Forensics Secur. Law"},{"key":"ref_48","doi-asserted-by":"crossref","unstructured":"Brengel, M., and Rossow, C. (2018, January 28\u201329). MemScrimper: Time-and Space-Efficient Storage of Malware Sandbox Memory Dumps. Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, Saclay, France.","DOI":"10.1007\/978-3-319-93411-2_2"},{"key":"ref_49","doi-asserted-by":"crossref","unstructured":"Pendergrass, J.A., Hull, N., Clemens, J., Helble, S., Thober, M., McGill, K., Gregory, M., and Loscocco, P. (2019). Technical report: A toolkit for runtime detection of userspace implants. arXiv.","DOI":"10.1109\/MILCOM47813.2019.9020783"},{"key":"ref_50","unstructured":"Kruegel, C. (2014, January 2\u20137). Full system emulation: Achieving successful automated dynamic analysis of evasive malware. Proceedings of the BlackHat USA Security Conference, Las Vegas, NV, USA."},{"key":"ref_51","unstructured":"(2022, July 12). AnyRun. Available online: https:\/\/any.run\/."},{"key":"ref_52","unstructured":"(2022, July 12). CrowdStrike Falcon. Available online: https:\/\/www.crowdstrike.com\/products\/threat-intelligence\/falcon-sandbox-malware-analysis\/."},{"key":"ref_53","unstructured":"(2022, July 12). FireEye. Available online: https:\/\/www.fireeye.com\/."},{"key":"ref_54","unstructured":"(2022, July 12). Joe Security. Available online: https:\/\/www.joesecurity.org\/."},{"key":"ref_55","unstructured":"(2022, July 12). Palo Alto Wildfire. Available online: https:\/\/www.paloaltonetworks.com\/products\/secure-the-network\/wildfire\/."},{"key":"ref_56","unstructured":"(2022, July 12). VirusTotal. Available online: https:\/\/www.virustotal.com\/gui\/."},{"key":"ref_57","unstructured":"(2022, July 12). Cuckoo Sandbox. Available online: https:\/\/cuckoosandbox.org\/."},{"key":"ref_58","unstructured":"(2022, July 12). Drakvuf. Available online: https:\/\/drakvuf-sandbox.readthedocs.io\/en\/latest\/."},{"key":"ref_59","unstructured":"(2022, July 12). Sandboxie. Available online: https:\/\/github.com\/sandboxie."},{"key":"ref_60","unstructured":"(2022, July 12). FireEye SpeakEasy. Available online: https:\/\/github.com\/fireeye\/speakeasy."},{"key":"ref_61","doi-asserted-by":"crossref","unstructured":"Murthaja, M., Sahayanathan, B., Munasinghe, A., Uthayakumar, D., Rupasinghe, L., and Senarathne, A. (2019, January 5\u20136). An Automated Tool for Memory Forensics. Proceedings of the 2019 International Conference on Advancements in Computing (ICAC), Malabe, Sri Lanka.","DOI":"10.1109\/ICAC49085.2019.9103416"},{"key":"ref_62","doi-asserted-by":"crossref","first-page":"251","DOI":"10.1016\/j.cose.2015.04.001","article-title":"AMAL: High-fidelity, behavior-based automated malware analysis and classification","volume":"52","author":"Mohaisen","year":"2015","journal-title":"Comput. Secur."},{"key":"ref_63","doi-asserted-by":"crossref","unstructured":"Tien, C.W., Liao, J.W., Chang, S.C., and Kuo, S.Y. (2017, January 7\u201310). Memory forensics using virtual machine introspection for Malware analysis. Proceedings of the 2017 IEEE Conference on Dependable and Secure Computing, Taipei, Taiwan.","DOI":"10.1109\/DESEC.2017.8073871"},{"key":"ref_64","first-page":"126","article-title":"Malware dynamic analysis evasion techniques: A survey","volume":"52","author":"Afianian","year":"2019","journal-title":"ACM Comput. Surv. (CSUR)"},{"key":"ref_65","doi-asserted-by":"crossref","unstructured":"Yokoyama, A., Ishii, K., Tanabe, R., Papa, Y., Yoshioka, K., Matsumoto, T., Kasama, T., Inoue, D., Brengel, M., and Backes, M. (2016, January 19\u201321). Sandprint: Fingerprinting malware sandboxes to provide intelligence for sandbox evasion. Proceedings of the International Symposium on Research in Attacks, Intrusions, and Defenses, Paris, France.","DOI":"10.1007\/978-3-319-45719-2_8"},{"key":"ref_66","unstructured":"Chailytko, A., and Skuratovich, S. (2017, January 13\u201315). Defeating sandbox evasion: How to increase the successful emulation rate in your virtual environment. Proceedings of the ShmooCon 2017, Washington, DC, USA."},{"key":"ref_67","first-page":"366","article-title":"A survey of malware detection techniques based on machine learning","volume":"10","author":"Hajraoui","year":"2019","journal-title":"Int. J. Adv. Comput. Sci. Appl."},{"key":"ref_68","doi-asserted-by":"crossref","first-page":"101861","DOI":"10.1016\/j.sysarc.2020.101861","article-title":"A survey on machine learning-based malware detection in executable files","volume":"112","author":"Singh","year":"2020","journal-title":"J. Syst. Archit."},{"key":"ref_69","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1186\/s13673-018-0125-x","article-title":"A state-of-the-art survey of malware detection approaches using data mining techniques","volume":"8","author":"Souri","year":"2018","journal-title":"Hum.-Centric Comput. Inf. Sci."},{"key":"ref_70","doi-asserted-by":"crossref","first-page":"222310","DOI":"10.1109\/ACCESS.2020.3041951","article-title":"A Survey on Machine Learning Techniques for Cyber Security in the Last Decade","volume":"8","author":"Shaukat","year":"2020","journal-title":"IEEE Access"},{"key":"ref_71","doi-asserted-by":"crossref","unstructured":"Aghaeikheirabady, M., Farshchi, S.M.R., and Shirazi, H. (2014, January 26\u201327). A new approach to malware detection by comparative analysis of data structures in a memory image. Proceedings of the 2014 International Congress on Technology, Communication and Knowledge (ICTCK), Mashhad, Iran.","DOI":"10.1109\/ICTCK.2014.7033519"},{"key":"ref_72","doi-asserted-by":"crossref","first-page":"e6672","DOI":"10.1002\/cpe.6672","article-title":"Process based volatile memory forensics for ransomware detection","volume":"34","author":"Arfeen","year":"2022","journal-title":"Concurr. Comput. Pract. Exp."},{"key":"ref_73","doi-asserted-by":"crossref","unstructured":"Lashkari, A.H., Li, B., Carrier, T.L., and Kaur, G. (2021, January 18\u201319). VolMemLyzer: Volatile Memory Analyzer for Malware Classification using Feature Engineering. Proceedings of the 2021 Reconciling Data Analytics, Automation, Privacy, and Security: A Big Data Challenge (RDAAPS), Hamilton, ON, Canada.","DOI":"10.1109\/RDAAPS48126.2021.9452028"},{"key":"ref_74","doi-asserted-by":"crossref","unstructured":"Xu, Z., Ray, S., Subramanyan, P., and Malik, S. (2017, January 27\u201331). Malware detection using machine learning based analysis of virtual memory access patterns. Proceedings of the Design, Automation & Test in Europe Conference & Exhibition (DATE), Lausanne, Switzerland.","DOI":"10.23919\/DATE.2017.7926977"},{"key":"ref_75","doi-asserted-by":"crossref","first-page":"102166","DOI":"10.1016\/j.cose.2020.102166","article-title":"Catch them alive: A malware detection approach through memory forensics, manifold learning and computer vision","volume":"103","author":"Bozkir","year":"2021","journal-title":"Comput. Secur."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/2\/3\/28\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T23:54:30Z","timestamp":1760140470000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/2\/3\/28"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,7,20]]},"references-count":75,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2022,9]]}},"alternative-id":["jcp2030028"],"URL":"https:\/\/doi.org\/10.3390\/jcp2030028","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,7,20]]}}}