A RAM dump is a complete copy of a system’s working memory at a specific point in time. In digital forensics it reveals information absent from the hard drive: running processes, open network connections, decrypted passwords, and malware fragments. The capture must happen before the system is shut down because RAM contents are volatile. Specialized tools such as WinPmem or LiME are used for this purpose. In an incident-response workflow, a RAM dump is among the first evidence-collection steps. A documented chain of custody ensures the results remain admissible later.