Digital Forensic News & Events
Bringing investigators digital forensics and cybersecurity related news from around the world. #AllinForensics


 

Back to News

Collect RAM on a Live Computer

Posted by Richard T. Frawley on November 1, 2021
Richard T. Frawley

When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost.  A live analysis conducted in the correct manner will yield the results you are looking for in your investigation.  It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for detectives and investigators to perform a RAM capture in the proper manner with as little intrusion as possible.

The first order of business should be the volatile data or collecting the RAM.  ADF has simplified the process and will expeditiously and efficiently collect the volatile data first. Once the RAM collection is saved to the collection key and completed you can next go right to the scanning of the drives, partitions, or attached devices for relevant and actionable evidence. This will allow you to make critical on-scene decisions.

As with any tool used for live analysis, ADF will access files on the target computer while scanning. ADF will access files on the target computer without modifying their timestamps. However, it should be expected that running ADF software on a live system will leave traces related to the insertion of both the Collection Key and Authentication Key and the execution of the application. (See Technical Specifications Sect.3)

When returning to the forensic lab, or within your mobile lab, RAM dumps can be analyzed with the appropriate software (e.g. Volatility).

The collection key will serve several purposes in the field and while on-scene:

  1. RAM Collection – First option when executing the application
  2. Scanning and collection of relevant data
  3. Imaging of drive and attached devices
  4. Analysis on scene or back at the lab

These options are independent of each other and do not all need to be run on every computer. The tool can be used to conduct just one task. As always with ADF’s computer forensics flexible licensing you can collect RAM, scan for information and evidence, or image many computers simultaneously.

Talk to an ADF Expert

Empower your team to perform computer evidence collection on-scene with Field Investigator for Teams

Topics: Digital Evidence Investigator, Triage-Investigator, RAM Capture, Forensic Analysis, Digital Media Investigator, Early Case Assessment, How To Video, Computer Forensics Video

Posts by Tag

See all

Recent Posts

  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?