© 2014 IEEE. Memory forensics has become an important part of digital forensic investigation. Its importance has increased due to the type of information resides within memory that can be extracted using appropriate tools. This information includes open processes, open dynamically linked libraries (DLLs), encryption keys, function parameters passed at runtime, and login information. In this paper, we propose a forensic analysis framework that uses common disk encryption methods to encrypt a hard disk and then employs forensic analysis tools to extract encryption keys from the memory dump. We use the recovered keys to successfully decrypt content of an original encrypted disk. In addition, we successfully recover the content of an encrypted BlackBerry10 backup file (.bbb), which is encrypted by default, by employing email login information extracted from the memory image.