Back to News

RAM Dump Forensics

Posted by adfsolutions on October 1, 2018

Create RAM Dump with ADF Digital Evidence Investigator - ForensicsWhile there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator®, Triage-Investigator®, and Triage-G2® are fast and easy. 

A simple 2-step process lets non-technical investigators and examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

  1. Click "Create RAM Dump" from the main menu
  2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

Capturing Random Access Memory (RAM) is increasingly important since investigators have realized that many types of artifacts can be recovered in volatile memory and this evidence can benefit an investigation and can allow an investigator to understand what applications were being used by a suspect or at the time of attack. It is also possible that a remote attacker could have stored data, tools or other artifacts in RAM rather than on the system drive. Volatile memory data can include:

  • Processes 
  • Information about open files and registry handles 
  • Network information
  • Passwords
  • Cryptographic keys
  • Unencrypted content 
  • Hidden data 
  • Worms and rootkits written to run in memory

Reveal Evidence About Users and Systems

Don't lose data! Investigators, examiners and digital first responders should recover RAM from running PCs to preserve the evidence found in memory. The contents of RAM is lost the minute a computer is turned off so collecting that content is critical.

Try ADF for 30 Days Free

Topics: RAM Capture, Computer Forensics, Computer Forensic Lab, Digital Forensics, DFIR, Digital Evidence Investigator, Triage-Investigator, Triage-G2

Get Triage & Digital Forensic News (once a month)

Posts by Tag

See all

Recent Posts