Memory Acquisition

  Memory acquisition involves copying the contents of volatile memory to non-volatile storage. This is arguably one of the most important and precarious steps in the memory forensics process.

  Volatile memory can reveal a lot of important information about a system and its users. There are often instances where evidence stored in memory is never written to the hard drive and may only be found in pagefile.sys and hiberfil.sys. Memory analysis is essential to many malware and intrusion incidents and can be imperative in recovering valuable evidence for almost any PC investigation. Running processes and programs, active network connections, registry hives, passwords, keys, and decrypted files are just a few examples of the evidence that can be found in memory. Many web apps, like Gmail, or private/incognito browsing modes, will only store data in memory, meaning the evidence cannot be recovered from the hard disk (source:


Belkasoft RAM

DumpIt RAM

FireEye Memoryze