Skip to content
Log in

Physical memory image

Definition

A byte-for-byte copy of all installed RAM on a running system, acquired at the hardware or kernel level. Contains all data structures, process content, and kernel objects present in memory at the moment of capture.

Related terms

LiME (Linux Memory Extractor)
A loadable kernel module that acquires physical memory from Linux, macOS, and Android systems. It maps the physical address space and either...
Order of volatility
The sequence in which digital evidence should be collected, ranked from most to least transient. Defined in RFC 3227. CPU registers and...
Process injection
A technique used by malware and attackers to execute code inside the address space of a legitimate running process. Common methods include...
Reflective DLL loading
A technique that loads a Windows DLL directly from memory without registering it with the OS loader. The DLL resolves its own...
Volatility Framework
An open-source memory forensics framework written in Python. It parses raw memory images using OS-specific symbol information to reconstruct kernel data structures...

Explained in

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account