During an investigation, you always want to create a forensic image of all the relevant computer systems. However, what if you encounter a live system?
How to handle a live system is something i will discuss in a separate post. For now, we will focus on why you might want to image the RAM and how to do this with Belkasoft Ram Capturer.
The Random access memory or RAM is a form of computer data storage that allows information to be stored and retrieved on a computer. Because information is accessed randomly instead of sequentially like it is on a hard drive, the computer can access the data much faster. One of the downsides of RAM, however, is that it requires power to keep the data accessible. As soon as the power is turned off, all information stored in RAM is lost.
All programs running on your system are storing data in RAM. You can imagine how much evidence the RAM may contain. Some examples of information that might be stored in ram include:
- Internet history
- E-Mail (including webmail)
- Encryption keys
- Usernames / Passwords
There are a few tools out there that are able to create an image/dump of the system RAM. Some of these tools are:
- Belkasoft Live RAM Capturer
- FireEye Memoryze
- Zeltser DumpIt
- Accessdata FTK-Imager
In this Forensics 101 we are going to use Belkasoft Ram Capturer.
You can download the free memory acquisition tool from Belkasoft here: https://belkasoft.com/ram-capturer
After downloading and unpacking the tool you will find two versions of the tool, a 32-bit, and a 64-bit version. Copy these tools on an external media like a large USB-Drive and plug it into the system you wish to capture.
Then, depending on the system you want to capture, select run the appropriate version as Administrator. When started you get a very simple UI where you are able to select the output directory for your dump.
Simply type in the path where you want to save your image and press “Capture!”.
Always chose an external path like a USB-Drive or External HDD. You never want to store your image on a live system, otherwise, you end up modifying the evidence.
Also, keep in mind that your image is going to be slightly bigger than the total amount of ram you are going to capture.
The dump might take some time, depending on the amount of RAM the system has and the speed of the destination drive.
Use the image in your favorite investigation tool for analysis.