Memory Acquisition

Memory acquisition involves copying the contents of volatile memory to non-volatile storage. This is arguably one of the most important and precarious steps in the memory forensics process.

Why Memory Dump?

Volatile memory can reveal a lot of important information about a system and its users. There are often instances where evidence stored in memory is never written to the hard drive and may only be found in pagefile.sys and hiberfil.sys. Memory analysis is essential to many malware and intrusion incidents and can be imperative in recovering valuable evidence for almost any PC investigation. Running processes and programs, active network connections, registry hives, passwords, keys, and decrypted files are just a few examples of the evidence that can be found in memory. Many web apps, like Gmail, or private/incognito browsing modes, will only store data in memory, meaning the evidence cannot be recovered from the hard disk (source: https://www.magnetforensics.com/blog/acquiring-memory-with-magnet-ram-capture/).

MagnetRAM

Belkasoft RAM

DumpIt RAM

FireEye Memoryze

OSForensics

Velociraptor

Memory Acquisition Tool Lists

- - - - Belkasoft Live RAM Capture
        DumpIt RAM Capture
        MagnetForensics RAM Capture
        AccessData FTK Imager
        FireEye Memoryze
        Velociraptor MemCap Artifact
        WinPmem
        OSForensics