U.S. flag

An official website of the United States government, Department of Justice.

Reconstructing User Activities from a Memory Dump

Event Dates

Child exploitation cases often involve analyzing digital device storage drives to reconstruct user activities. While much can be learned from disk analysis, Random Access Memory (RAM) is a particularly rich source of potential evidence related to user activities. Specifically, reconstruction of user activities from a RAM dump can help establish both a suspect's awareness and intent. This webinar will cover RAM basics, acquisition, triage, and user-activity reconstruction from a RAM dump. We will demonstrate free tools and analysis with Volatility.

Presented by:
Dr. Joshua James, Freelance Digital Forensic Scientist, DFIR Science, LLC


Date Created: June 23, 2022