Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind. Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including:
- browsing history
- encryption keys
- chat messages
- clipboard contents
- run-time system activity
- open network connections (often these artifacts are only found in RAM)
- recently executed commands and processes
- injected code fragments
- memory stored before shut down or crash
The practice of RAM Capture is an important aspect of memory forensics that can be used during a digital forensic investigation of criminal activity, hacking, cyber crime or insider threats. In the case of hacking, attackers sometimes develop malware that only lives in memory which makes it difficult to detect if random access memory is not captured.
ADF Digital Evidence Investigator software allows field investigators to quickly perform a RAM Capture while on-scene. Next, DEI can start the process of scanning the target computer with customized search profiles to allow investigators to immediately begin analysis and to start building HTML or CSV reports which can be shared with other investigators, prosecutors or a forensic lab.