 So random access memory is fast temporary storage. It's faster than your hard drive and things that we want to store like our files, we want to keep long term. We put them on our hard drive, but a hard drive is relatively slow. It can be very large, so we can fit a lot of things on it, but hard drive access is quite slow. The processor actually needs to get the data faster than what a hard drive is capable of or what it's usually capable of. So what we do instead is have a smaller, much faster temporary storage location where we can load programs and load data that way the processor can access that data quicker. And that's essentially what RAM is. So a hard drive, slow, but very large storage, too slow basically for the processor to use it effectively. Kind of the medium size storage is random access memory. It's much faster, but also much more expensive and much smaller. And then there's the processor and the processor cache, the smallest of all, but also the fastest, okay. So what we're focusing on today is random access memory. It's the fast temporary storage that we're dealing with. Now there is no file system. It's all controlled by something called a memory management unit. For our analysis, we don't really have to care too much about how RAM is managed. What we do need to think about is how it's different from a hard drive. So if you've ever done a hard drive investigations before, you've most likely collected an image of the hard drive, looked at a partition on a hard drive. And on that partition, you found a file system. So that file system lets us find data that's stored on that hard drive. Well, RAM doesn't have a file system. It's something called the memory management unit that is basically the operating system keeps track of where all of the data is in memory. It's not really meant for users to access the data in memory. So it doesn't have to be straightforward, let's say. But for investigators, it's very interesting for us to be able to access that data. There is no file system, the operating systems memory management unit keeps track of where the data is in RAM that makes it a little bit different than a hard drive. It's used like a working area when the computer is on. So like I said, the hard drive is our long term storage RAM is kind of like a workspace, right? So you want your workspace clear. And every time you turn on the computer, you clean off the workspace. And now you have a place to basically store and work with your files. Whenever you're done with them, you save them back to the hard drive. But whenever you need to do something with them, you load them into memory. So RAM is essentially a working space or a work area for your computer. It's kind of the temporary storage. It's not meant for long term storage. Computers, phones, IoT devices, etc, all have RAM. Almost any digital device that you deal with these days are going to have RAM or something like RAM. So if you're dealing with a computer, it definitely has random access memory. If you're dealing with a mobile phone, it also has random access memory. IoT devices in your homes can have and most of them do have random access memory. But you'll find random access memory in a lot of places. But it's more difficult usually to access random access memory on these devices than it is for just a computer, especially compared to like getting access to a hard drive data on a hard drive. It's much more difficult to access the random access memory. And that is because you can only access random access memory whenever the computer is on, right? So if you shut the computer down, all of the data in random access memory or RAM is going to be lost. Okay, so we do not shut the computer down whenever we want to access random access memory, all user activities on the device touch RAM in some way. So think about, even think about this video, you're watching this video on your computer or your phone right now. And basically the data from this video is being downloaded by your phone from a server on the internet. That data is getting downloaded to your phone, and then being processed, and then being shown to you on the screen. If you can see it on the screen, if it's being downloaded and processed, all of that data is going through RAM on your device. Okay, which means that if we were to look at your RAM right now, we could probably recover some part of this specific video because your device is watching it, which means some part of this data for the video has been loaded into your random access memory. Right. So all user activities on the device touch RAM in some way. If you move a mouse on your computer, if you move the cursor, that's a change in random access memory. If you open up a program, you're loading that program into random access memory. If you browse to a website, even in private mode on a browser, all of that is loaded into random access memory, and then you're downloading web pages into your computer's random access memory. So a lot of this data will never be written to your hard drive. Right. So if you're just browsing a website, if you're watching a video, most likely that data is going to stay in memory, you're going to use it and then the computer doesn't need it anymore. So it just deletes it or unallocates it from RAM and it never writes that data to your hard drive. Well, most of what we do in forensics is actually disk hard drive forensics. Right. But a lot of the activities that a user does will only ever be in RAM. They will never be on the hard drive. Right. So if we want a complete picture of what a user has been doing, we need to get a copy of RAM along with the hard drive to build up the entire story. So they go together. Okay. So all user activities on the device touch RAM in some way. And that's why it's so important to collect RAM and use it in your digital investigations. Unfortunately, most first responders, at least for now, do not collect random access memory. A lot of it is just because, like I said, it's more difficult to work with. If a first responder hasn't been trained on how to deal with a suspect or victim's computer while that computer is on, then it like it gets more complicated because that first responder has a lot more potential to modify evidence on the system since the computer is on. So accessing random access memory to be able to make an acquisition, to be able to copy data from RAM is a lot harder because we have to do something called live data forensics, which I'll talk about in a second. So most first responders do not collect RAM. And most digital forensic investigators are in the lab, they're probably not going to be part of the first response team in most cases, right? So it's not routine to collect random access memory yet, although it is extremely useful to digital investigations that they do so.