Increasingly, Cyber–physical Systems are expected to operate in different environments and interconnect with a diverse set of systems, equipment, and networks. This openness to heterogeneity, diversity, and complexity introduces a new level of vulnerabilities, which adds to the consistent need for security including the digital forensics capabilities. Digital investigators utilize the information on the attacker’s computer to find clues that may help in proving a case. One aspect is the digital evidence that can be extracted from the main memory (RAM), which includes live information about running programs. A program’s states, represented by variables’ values, vary in their scope and duration. This paper explores RAM artifacts of Java programs. Because JVMs can run on various platforms, we compare the same program on three different implementations of JVM from forensic perspectives. Our investigation model assumes no information is provided by the underlying OS or JVM. Our results show that a program’s states can still be extracted even after the garbage collector is explicitly invoked, the software is stopped, or the JVM is terminated. This research helps investigators identify the software used to launch the attack and understand its internal flows. Investigators can utilize this information to accuse the perpetrators and recover from attacks.