Memory forensics analyzes RAM dumps to find running processes, injected code, encryption keys, network connections, and credentials — especially valuable for fileless malware.
Tools: Volatility, Rekall. Key artifacts in memory: process list, network connections, command history, encryption keys, injected DLLs, malware hiding from process lists. Capture memory before shutdown.