Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind. Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including:
- browsing history
- encryption keys
- chat messages
- clipboard contents
- run-time system activity
- open network connections (often these artifacts are only found in RAM)
- recently executed commands and processes
- injected code fragments
- memory stored before shut down or crash
Here is a short 60 second video to quickly explain the critical importance of RAM Capture in on-scene investigations, serving search warrants, performing Early Case Assessment, Incident Response investigations or Sensitive Site Exploitation.
The practice of RAM Capture is an important aspect of memory forensics that can be used during a digital forensic investigation of criminal activity, hacking, cyber crime or insider threats. In the case of hacking, attackers sometimes develop malware that only lives in memory which makes it difficult to detect if random access memory is not captured.
ADF Digital Evidence Investigator software allows field investigators to quickly perform a RAM Capture while on-scene. Following the capture of volatile memory, ADF digital forensic software can start the process of scanning the target computer with customized search profiles to allow investigators to immediately begin analysis and to start building HTML or CSV reports which can be shared with other investigators, prosecutors or a forensic lab.
Digital Evidence Investigator® (DEI) software is the #1 automated digital forensic tool for easily collecting RAM as well as digital files and artifacts - with evidence presented in a timeline view. DEI is automated and easy-to-use for digital evidence collection & analysis with pre-built forensic scans and the ability to build custom scans and reports.
