Memory Network
15/05/2026 Friday
The Memory Network artifacts represents network related activity identified during memory forensic processing. These artifacts provide a useful view of how the system was communicating over the network, which processes were associated with that activity, and which domain names or addresses may have been resolved during the captured period.
Digital Forensics Value of Memory Network
Memory Network artifacts can provide important evidence about network
activity that existed or could be reconstructed from the acquired memory
image. These artifacts can be used to identify observed connections,
listening services, local and remote addresses, ports, protocols,
process identifiers, process paths, DNS related data, and other network
details. This information allows network behavior to be connected with
the processes that were active in memory, making it easier to determine
which executable was responsible for a connection, service, or resolved
address.
Location of Memory Network
The Memory Network artifacts are not recovered from a fixed Windows system folder in the same way as registry hives, event logs, or application databases. These records are produced during memory forensic processing and are commonly found in the forensic output generated from the acquired memory image.
Analyzing Memory Network Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Memory Network
artifacts from Windows devices’ volatile data and what kind of digital
forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the
investigation, at the Artifact Selection phase, you can select the
Memory Network artifacts parser:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of the Memory Network artifacts in ArtiFast.
Memory Networks
- Destination Port: The destination port is shown in this field.
- Source Port: The local port used by the process is displayed here.
- Process: The name of the process associated with the network activity is shown here. This allows the connection to be linked with an executable observed in memory.
- Protocol: The protocol used by the record is displayed in this field, such as TCP, UDP, IPv4, or IPv6 variants.
- Destination Address: The remote address is shown here.
- Process Path: The recovered executable path is displayed here.
- Source Address: The local address used by the network record is shown in this field.
- Object: The memory object reference linked to the network structure.
- PID: The process identifier.
- State: The network state is displayed in this field.
Memory Network Events
- PID: The process identifier.
- Type: The event category is displayed in this field.
- Value32: A 32-bit value associated with the event is shown here.
- Action: The action value describes the type of event operation.
- Value64: A 64-bit value associated with the event is displayed here.
- Text: The readable network event details are shown here.
Memory Network DNS
- TTL: The time-to-live value is shown here.
- Data: The resolved data or target value is displayed in this field.
- Name: The queried or cached domain name is shown here.
- Flags: DNS flags are displayed in this field.
- Type: The DNS record type is shown here.
- Address: The memory address or object-related reference associated with the DNS entry is displayed here.
For more information or suggestions please contact: ali.tora@forensafe.com
