Back to News

RAM Dump Forensics

Posted by ADF Solutions on October 1, 2018
ADF Solutions

Create RAM Dump with ADF Digital Evidence Investigator - ForensicsWhile there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator®, Triage-Investigator®, and Triage-G2® are fast and easy. 

A simple 2-step process lets non-technical investigators and examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

  1. Click "Create RAM Dump" from the main menu
  2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

Capturing Random Access Memory (RAM) is increasingly important since investigators have realized that many types of artifacts can be recovered in volatile memory and this evidence can benefit an investigation and can allow an investigator to understand what applications were being used by a suspect or at the time of attack. It is also possible that a remote attacker could have stored data, tools or other artifacts in RAM rather than on the system drive. Volatile memory data can include:

  • Processes 
  • Information about open files and registry handles 
  • Network information
  • Passwords
  • Cryptographic keys
  • Unencrypted content 
  • Hidden data 
  • Worms and rootkits written to run in memory

Reveal Evidence About Users and Systems

Don't lose data! Investigators, examiners and digital first responders should recover RAM from running PCs to preserve the evidence found in memory. The contents of RAM is lost the minute a computer is turned off so collecting that content is critical.

Learn How: RAM Capture

Topics: Digital Forensics, Digital Evidence Investigator, Triage-G2, Triage-Investigator, RAM Capture, Computer Forensics, Computer Forensic Lab, DFIR

Get Triage & Digital Forensic News (once a month)

Posts by Tag

See all

Recent Posts