• There are no suggestions because the search field is empty.

Digital Forensic News & Events

Bringing investigators digital forensics and cybersecurity related news from around the world.

Qualified individuals can request a free trial of the best digital forensic triage software for field and lab forensics

Talk to an ADF Expert

 

Back to News

What is RAM Capture and Why does it Matter?

Posted by Richard T. Frawley on March 19, 2020
Richard T. Frawley

RAM, short for Random Access Memory, is physical hardware that temporarily stores data for quick read and write access. Think of RAM as a scratch pad you use while working; although all the information you need and may refer to is stored in a binder (in this analogy, your hard drive), the information on the scratch pad is what you are using and need right in the moment. With RAM, it is right there for you to access. While RAM helps with the speed and efficiency of the computer, it can all be lost in an instant as it is volatile.

Understanding RAM CaptureRAM starts fresh every time the computer is turned on. It is a clean slate - a new scratch pad for the computer to utilize. Being that RAM is volatile, or can change rapidly and unpredictably, when a computer loses power, crashes, or is shut down, RAM is lost, erased, and reset. This can be a headache if a crash has caused you to lose a half written document, or other work that may not have been saved yet.

Why is RAM Capture Important?

Now that you know what RAM is and what can happen when power is lost or a computer shuts down, let us look at why it is important to collect RAM data in a digital forensic investigation that starts with computer triage. As mentioned above, RAM will contain:

  • Unsaved documents
  • Passwords
  • Credentials
  • Code from programs that are not necessarily written to the computer and/or saved

Other things RAM will save include printed pictures, emails, chat messages, malware, running processes, and the list goes on. With each and every second of the computer’s use RAM is changing, writing or reading something that the computer is actively working on. It may now become apparent as to why it is important to collect RAM as the first priority in a live forensic triage or on-scene digital investigation. 

Whether it be on-scene investigations, search warrants, early case assessment, Sensitive Site Exploitation, or incident response, ADF tools are able to get the job done. When deploying ADF tools on a Live Windows Operating System, RAM will be collected with one click, limiting the use of the computer and maintaining that volatile memory as best possible. RAM will be saved to ADF’s Collection Key in a bin file for later analysis with your favorite memory tool.

How to Conduct a Live Forensics Scan on Windows

Topics: Law Enforcement, Digital Forensics, RAM Capture, Computer Forensics, Forensic Analysis, Live Scan, Site Exploitation, Entity Extraction, Digital Evidence

Posts by Tag

See all

Recent Posts

New ADF Free Trial Website Ad

  • READY TO ACCELERATE YOUR DIGITAL INVESTIGATIONS?

  • Purchase