/Forensics 101: RAM capture (FTK-Imager)

Forensics 101: RAM capture (FTK-Imager)

During an investigation, you always want to create a forensic image of all the relevant computer systems. However, what if you encounter a live system?

How to handle a live system is something I will discuss in a separate post. For now, we will focus on why you might want to image the RAM and how to do this with FTK-Imager.

The Random access memory or RAM is a form of computer data storage that allows information to be stored and retrieved on a computer. Because information is accessed randomly instead of sequentially like it is on a hard drive, the computer can access the data much faster. One of the downsides of RAM, however, is that it requires power to keep the data accessible. As soon as the power is turned off, all information stored in RAM is lost.

All programs running on your system are storing data in RAM. You can imagine how much evidence the RAM may contain. Some examples of information that might be stored in ram include:

  • Chats
  • Internet history
  • E-Mail (including webmail)
  • Encryption keys
  • Usernames / Passwords
  • Documents

There are a few tools out there that are able to create an image/dump of the system RAM. Some of these tools are:

  • Belkasoft Live RAM Capturer
  • FireEye Memoryze
  • Zeltser DumpIt
  • Accessdata FTK-Imager

In this Forensics 101, we are going to use FTK-Imager version 3.4.3.3.

On how to get FTK-Imager, i suggest my post “Forensics 101: FTK-Imager introduction”.

After starting FTK-Imager you are greeted with the main window.

 

Open the menu “File” (ALT+F) and choose the option “Capture Memory” (ALT+T) .

Chose a Destination for your image, always chose an external path like a USB-Drive or External HDD. You never want to store your image on a live system, otherwise, you end up modifying the evidence.
Also, keep in mind that your image is going to be slightly bigger than the total amount of ram you are going to capture.

FTK-Imager offers you the option to include the pagefile and to create an AD1 image.

Including the pagefile might be interesting, outside of the additional time it might take there is no real reason not to capture the pagefile. The pagefile is a great addition to the memory dump.

Creating an AD1 file is recommended. The AD1 file will contain the memory dump and the pagefile (if selected). the AD1 will be compressed and take up less space, plus it’s hashed. For obvious forensic reasons, the AD1 file helps to keep the image forensically sound.

After selecting your options you can press the “Capture Memory” button and the capture starts. When it’s done it will give you a message and you can close the program.
Use the image in your favorite investigation tool for analysis.