Ram-capture

When conducting digital forensic investigations that involve live (up and running) computers, it is imperative to collect volatile memory so that all your bases covered and so that no vital evidence is lost.  A live analysis conducted in the correct manner will yield the results you are looking for in your investigation.  It has become commonplace and an accepted practice to collect data from a live computer, especially in cases of child exploitation. ADF software makes it easy for detectives and investigators to perform a RAM capture in the proper manner with as little intrusion as possible.

It's a known issue that many agencies and departments are facing worldwide; how to fight and reduce backlog to stay up to date on cases so that they don't get stale. It's a serious issue, but we at ADF can show you a few ways to fight in-house forensic backlog with digital forensic triage.

RAM, short for Random Access Memory, is physical hardware that temporarily stores data for quick read and write access. Think of RAM as a scratch pad you use while working; although all the information you need and may refer to is stored in a binder (in this analogy, your hard drive), the information on the scratch pad is what you are using and need right in the moment. With RAM, it is right there for you to access. While RAM helps with the speed and efficiency of the computer, it can all be lost in an instant as it is volatile.

ADF computer triage has long been admired for some of the best digital forensic triage capabilities on the market. Since 2006, ADF digital forensic experts have been building triage tools to empower investigators to quickly collect evidence and on-scene intelligence from computers and digital devices.

With a record number of attendees, speakers and exhibitors, the 2019 National Cyber Crime Conference organized by Massachusetts Attorney General Maura Healey's office this past week was a huge success with law enforcement professionals from 38 states, Canada, the UK and Africa. 

The NCCC event was especially important to ADF since it's our first major conference of the year and it's where we officially launched our new Mobile Device Investigator™ for iOS and Android investigations.  Our launch featured a demo by our digital forensic specialist, Rich Frawley who joined ADF after 22 years in law enforcement. 

Learn how to conduct a Windows live scan with ADF Solutions Digital Evidence Investigator.  Two USB ports are required to complete a scan, one for the Collection Key and one for the Authentication Key, once the scan has started the Authentication Key can be removed. A USB hub may be used in cases where the target computer only has one USB port. 

When running a live scan from a Collection Key it is possible to create a RAM dump of the computer. RAM dumps can then be analyzed with appropriate software (e.g. Volatility). 

One of the reasons that investigators choose ADF software as their primary triage tool is because it can be used standalone or in conjunction with traditional forensic software.  Forensic Triage is ideal for front-line investigators because it's fast, easy-to-use, and can net results in situations where time matters. Deployed in a forensic lab, triage software can reduce forensic backlogs and allow forensic examiners to prioritize deep dive forensic investigations.

What's the fastest, easiest way to perform RAM Dump? While there are many tools and techniques available to examiners for recovering data from volatile memory, ADF Digital Evidence Investigator^®, Triage-Investigator^®, and Triage-G2^® are fast and easy. 

A simple 2-step process lets even the most non-technical field investigators or highly trained digital forensic examiners quickly perform a RAM capture when running a live scan on the computer from a collection key: 

1. Click "Create RAM Dump" from the main menu
2. The RAM Dump will be saved to the collection key as a .bin file and then zipped

Here are a few of the highlights of the best parts of the 2018 National Cyber Crime Conference hosted by the Massachusetts Attorney General's Office (AGO) this past week. 

More Than 100 Digital Forensic Training Sessions for Police and Investigators

Local, state and federal agency attendees with varied experience and diverse backgrounds were able to attend a plethora of the best in-person digital and computer forensics education available.   With labs and lectures delivered by educators, trainers and fellow forensic specialists, attendees were able to choose from a wide range of topics including: 

Digital forensic experts understand the importance of remembering to perform a RAM Capture on-scene so as to not leave valuable evidence behind. Capturing volatile data in a computer's memory dump enables investigators and examiners to do a full memory analysis and access data including: