Analyze RAM/Volatile Memory

Belkasoft Evidence Center 2012 offers the ability to analyze the content of computer’s RAM (volatile memory) by processing memory dumps, hibernation files and page files. Available in Evidence Center Professional and Forensic Studio Ultimate edition, the functionality offers forensic experts an opportunity to discover more evidence than is available on the hard drive alone.

RAM (Volatile Memory) Analysis Reveals More Evidence

Volatile memory (RAM) contains the most recent data such as recent chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.

The ability to analyze RAM/volatile memory is one of the reasons to never shut down computers at the time of their acquisition. Forensic specialists acquiring a running PC should always capture appropriate memory dumps before unplugging the PC and extracting the hard drive. However, even if the PC has not been acquired properly, volatile memory content can still be available for analysis in the form of page file(s) and hibernation file.

How to Analyze Volatile Memory with Belkasoft Evidence Center

In order to analyze volatile memory content, investigators need a valid license for Evidence Center Pro, Forensic Studio Ultimate or the Enterprise edition.

To begin RAM analysis, launch Belkasoft Evidence Center and launch the Carve Device wizard. In the following window, select the Live RAM image file (pagefile.sys, hiberfil.sys, memory dumps) option.

To continue analyzing RAM/volatile memory, specify a valid path to a hibernation or swap file of interest. After you click Finish, the specified file will be carved for Live RAM artifacts it may contain. Just like the computer’s actual volatile memory, the content of page and hibernation files may not contain as many artifacts as the hard drive. However, even a small amount of additional evidence is better than nothing. You can download sample hibernation, page file and memory dump from Belkasoft Web site. The content of the sample RAM image includes Skype 4 and Yahoo! Messenger messages, Internet Explorer and Gmail activities.

Articles

Analyzing Windows Phone 8.1 JTAG and UFED Dumps

In recent months, we’ve started receiving calls from our customers asking us about extracting files and looking for evidence in binary dumps extracted out of Windows Phone 8 devices. We’ve got dozens of requests from European police ... Read more

Why SSD Drives Destroy Court Evidence, and What Can Be Done About It

Solid State drives (SSD) introduced dramatic changes to the principles of computer forensics. Forensic acquisition of computers equipped with SSD storage is very different of how we used to acquire PCs using traditional magnetic media. Instead ... Read more

Subscribe to our Newsletter