Memory Acquisition using Magnet Forensics - RAM Capture
Magnet RAM Captuer is a free imaging tool designed to capture the physical memory of a suspect’s computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory.
Magnet RAM Capture has a small memory footprint, meaning investigators can run the tool while minimizing the amount of data that is overwritten in memory. You can export captured memory data in Raw (.DMP/.RAW/.BIN) format and easily upload it into leading analysis tools, including Magnet AXIOM and Magnet IEF.
Why Memory Dump?
Volatile memory can reveal a lot of important information about a system and its users. There are often instances where evidence stored in memory is never written to the hard drive and may only be found in pagefile.sys and hiberfil.sys. Memory analysis is essential to many malware and intrusion incidents and can be imperative in recovering valuable evidence for almost any PC investigation. Running processes and programs, active network connections, registry hives, passwords, keys, and decrypted files are just a few examples of the evidence that can be found in memory. Many web apps, like Gmail, or private/incognito browsing modes, will only store data in memory, meaning the evidence cannot be recovered from the hard disk. (source: https://www.magnetforensics.com/blog/acquiring-memory-with-magnet-ram-capture/).
From an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.