x32x01
  • by x32x01 ||
In a previous article we talked about how to perform digital forensics testing of RAM using Volatility framework. But we didn't talk about how we can acquire Random Access Memory (RAM) for a digital forensics test.

Here we use FTK Imager (Forensic Toolkit Imager) for our memory capturing job. We can install on a Windows computer (latest version of FTK Imager 4.5 comes for Windows only). After that we can acquire RAM.
Acquire RAM for Forensics Testing
FTK Imager can acquire primary storage systems also, but there are lots of article there in the internet about it. Here we are going to about how we can acquire a system's volatile memory (RAM) for forensics purpose.

First of all we need to download the latest FTK Imager tool from the official website.
ftkmanager download page.png
After clicking on "Download Now" we got a page to fill up a form and we need to put our mail-id there and then the download link will be mailed to us as we can see the following screenshot:
download mail of ftk imager.png
After clicking on "Download Now" we got a page to fill up a form and we need to put our mail-id there and then the download link will be mailed to us as we can see the following screenshot:
ftkimager run as admin.png
Then FTK Imager will open in front of us as we can see in the following screenshot:
ftkimager.png
After this we click on the "File" located top left corner. Then we click on "Capture Memory" in the drop down menu. Showed in thee following screenshot:
ftkimager memory capture.png
Then a popup box will open, here we can browse the destination folders path, where we want to save the acquired memory dump. Shown in the following screenshot:
ftkimager set destination path.png
After choosing the output folder we need to check (true) for pagefile and AD1 file.
ftkimager before start .png
Then we just need to click on "Capture Memory" and the memory acquiring will started. Shown in the following screenshot:
ftkimager memory capturing process started.png
After finishing the memory acquiring it will start capturing pagefile and AD1 file, as the following screenshot:
ftkimager creating ad1 file.png
Once the acquisition is completed, we can click on the "Close" button, as shown in the following screenshot:
ftkimager RAM capture complete.png
Now we are Done. We can see the output files on our selected destination folder.
ftkimager ram captured on folder.png
Now we can easily test this .mem file using Volatility on Kali Linux machine. We had talked about Volatility and it's uses previously.
This is how can capture RAM for forensics testing. RAM's data is very volatile, when there are no electrical charge or current in the RAM chip. With the data on RAM being the most volatile, it ranks high in the order of volatility and must be forensically acquired and preserved as a matter of high priority.

Love our article? then make sure to follow our subscription to get all our articles directly on inbox. We are also available on Twitter and GitHub, we post article updates there.
To join our family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity.
For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.
 

Similar Threads

x32x01
Replies
0
Views
139
x32x01
x32x01
x32x01
Replies
0
Views
131
x32x01
x32x01
x32x01
Replies
0
Views
422
x32x01
x32x01
x32x01
  • x32x01
Replies
0
Views
249
x32x01
x32x01
x32x01
Replies
0
Views
215
x32x01
x32x01
TAGs: Tags
forensics testing

Register & Login Faster

Forgot your password?

Latest Resources

Forum Statistics

Threads
517
Messages
518
Members
45
Latest Member
Tacola
Back
Top