Memory Acquisition using Belkasoft - Live RAM Capture

Belkasoft Live RAM Capturer is a tiny free forensic tool that allows you to reliably extract the entire contents of a computer’s volatile memory-even if protected by anti-debugging or anti-dumping system. Belkasoft RAM Capturer is compatible with all versions and editions of Windows, including XP, Vista, Windows 7, 8, and 10, 2003, and 2008 Server.

Why Memory Dump?

Volatile memory, or RAM, is used to store data currently used by a
running process: whether it is a user application or a system service.
This type of memory is much quicker than a regular hard drive, but
unlike files permanently stored on a drive(unless deleted), data from
RAM may disappear instantly. At the time, it may store data crucial for
your case, including passwords in raw format without encryption or
encoding, decrypted data otherwise kept encrypted on a drive, decryption
keys for various services, apps, and WDE, remote session data; chats in
social networks; malware code; cryptocurrency transactions; various
system info such as loaded registry branches; and so on.(source:

From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.