 So a little bit more about what does RAM contain just in case you're not convinced yet. It contains programs and files that have been executed. So think about your phone or your computer that you've been using today. How many programs did you run? How many apps did you open? Anything you did on that computer, whenever you open something up, the program is loaded into RAM, the RAM of your device. And then if you downloaded a picture on Instagram, a picture from a web page, played a game, for example, all of that data and that connection to the game server is also loaded in RAM and then the game client does something with that data. But everything's happening in memory. So any programs and files that have been executed, think about files. Any file that you've opened today is probably still resident in your RAM right now, even if you closed the file. And that includes if you had an encrypted file or a password protected file. If you opened that file up and decrypted it or used the password to actually open it so you can see it, most likely that data is still resident in memory right now and we can recover it without the password and without encryption. So it's very important for data recovery. What programs accessed what files? So this is very interesting because especially for malware analysis, RAM is used a lot for malware analysis, but what programs accessed what files? If we have a suspect that says that they've never seen a particular file before, but then we have a copy of RAM, we can see what programs accessed what files. So if we know that a certain program was opened and that program was accessing a certain file and the suspect says they've never done this before, now we have a time that the application was opened and then possibly some information about the file itself or that file's contents being loaded into memory. But now we have the program that the suspect possibly used to open that file. So that's really powerful whenever you're trying to do an interview or go to court or something like that. Okay, so what programs accessed what files? Where opened files are were located on disk. Just like I said, if you open up a file and you have to decrypt it, the decrypted version of the file is in memory. Well, if you open up a file, it gets loaded into memory and then if you delete the file from the hard drive, the copy on the hard drive is deleted, but the copy in RAM still exists. If you have the program open that opened that file, then that copy is still going to be in memory. If you close the program, now there's no file on the disk because you deleted it and you've closed the program, which means it can potentially be unloaded from memory. But memory or objects in RAM don't get just removed from memory immediately, usually. Sometimes they do, but most of the time they don't. Which means that if we close the program, but that file was open in memory recently, from the time that the computer was turned on to the time that we arrived on scene, if that file was open, we might be able to recover the contents from memory. Or we can see what program opened that file and then we get the full path of where the file used to be. So we know that the file was on the hard drive at one time. Okay, so there's a lot of interesting things here. Where open files were located, even if they were deleted. Anything typed. So if you type on your keyboard, basically that keyboard typing is going to a buffer in RAM and then being injected into a webpage or whatever it is that you're typing for. You know, an email, a Word document, chats, passwords, for example. If you type your password in, like we might see our password as just dots because the program is covering it up. But in the backend, in RAM is the actual user's password typed out in that buffer. So passwords are very interesting because people type their password all the time for different websites. So if you can get a copy of RAM, you can potentially make password lists based on what people have been typing or names or things like that. So anything typed, passwords, user names, emails, chats, just think about the things that you type all day long. All of that is in memory. Open web pages even in private mode. So private mode for most browsers attempts to not write anything to the hard drive. So what we do instead is it just loads everything into RAM and then whenever you're done with private mode, it just essentially erases it. But it's not completely erased, right? So whenever you're doing something in private mode, all of the activities that you're doing are still loaded into memory. If you weren't loading things into memory, private mode just wouldn't work because you couldn't see anything on your screen, right? So open web pages even in private mode, even if you're using something like Tor browser. So private mode plus onion URLs, you can potentially recover all of that and even rebuild web pages just from what's resident in memory. Okay, so it's an excellent data source if you're interested in browsing behavior. Web page contents including images and video, I already said if you're downloading images, video from the web, they get loaded into memory first or the data, the network traffic gets loaded into memory, but then your browser or whatever program you're using to show you the image or the video also has to load the data into memory. Okay, so you can either see the network traffic or you can see the contents that your applications are loading. Okay, and then decrypted content. I've already talked about that. If you have an encrypted file on your hard drive or even an encrypted disk, if you decrypt that data and interact with it some way, then that data is going to be loaded into memory decrypted, right? Because you have to get access to it decrypted. Well, where is the computer going to store that? Not on the hard drive because that wouldn't make any sense. So instead it stores it in RAM. So you can potentially recover decrypted content, deleted content, things like that. And then content that's no longer on disk. I've already talked about this, deleting files that have been opened. So if you open a file, you close the program, and then you delete the file. That file is most likely still resident in memory. And then content that was never on disk. Like I said, downloading things from the internet, we can make special disks called RAM disks, which basically act like a hard drive, but it's only in memory. Live CDs. So for example, if you're using something like the Tails secure live CD, it doesn't store anything on disk unless you turn on persistence. You boot the computer, the system loads into memory, and then the entire operating system runs from RAM. So whenever you shut off the computer, everything that happened on that system is now lost. Well, if you come in and there's a system that's running Tails, if you take a copy of RAM, you still get all of the data that happened within the last session, basically. Okay. So even if content was never going to be written to disk, it's still in memory because the computer used it. Does the computer keep that everything in memory forever? No. If a computer has a very small amount of RAM and somebody's using a lot of programs, then the space in RAM is going to be reused faster. So the less RAM somebody has, probably the less you're going to get out of it in terms of recovery. But most computers these days have like 8GB, 16GB or more of RAM, and that's plenty for most applications, right? So whenever you're starting to load programs, they'll be loaded into memory, and they won't be overwritten later after you close the application because the operating system can clean up that space any time it needs more space to load new programs. The less RAM a computer has, the less likely it is that you're going to get a lot of this data. But on a normal system, you can get quite a bit. And then another one I've talked about a little bit, network traffic. Your computer is constantly talking to the internet. If you're connected, your computer is constantly talking to the internet, and all of that network traffic is basically loaded into RAM to be processed.