Analyze RAM/Volatile Memory

Belkasoft Evidence Center 2012 offers the ability to analyze the content of computer’s RAM (volatile memory) by processing memory dumps, hibernation files and page files. Available in Evidence Center Professional and Forensic Studio Ultimate edition, the functionality offers forensic experts an opportunity to discover more evidence than is available on the hard drive alone.

RAM (Volatile Memory) Analysis Reveals More Evidence

Volatile memory (RAM) contains the most recent data such as recent chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.

The ability to analyze RAM/volatile memory is one of the reasons to never shut down computers at the time of their acquisition. Forensic specialists acquiring a running PC should always capture appropriate memory dumps before unplugging the PC and extracting the hard drive. However, even if the PC has not been acquired properly, volatile memory content can still be available for analysis in the form of page file(s) and hibernation file.

How to Analyze Volatile Memory with Belkasoft Evidence Center

In order to analyze volatile memory content, investigators need a valid license for Evidence Center Pro, Forensic Studio Ultimate or the Enterprise edition.

To begin RAM analysis, launch Belkasoft Evidence Center and launch the Carve Device wizard. In the following window, select the Live RAM image file (pagefile.sys, hiberfil.sys, memory dumps) option.

To continue analyzing RAM/volatile memory, specify a valid path to a hibernation or swap file of interest. After you click Finish, the specified file will be carved for Live RAM artifacts it may contain. Just like the computer’s actual volatile memory, the content of page and hibernation files may not contain as many artifacts as the hard drive. However, even a small amount of additional evidence is better than nothing. You can download sample hibernation, page file and memory dump from Belkasoft Web site. The content of the sample RAM image includes Skype 4 and Yahoo! Messenger messages, Internet Explorer and Gmail activities.

Articles

"I took Belkasoft Evidence Center for a spin around the block"

Brett Shavers from DFIR.training reviewed Belkasoft Evidence Center. As he puts: "BEC does a really good job at running across data, putting everything into its own category, and creating an easy view of the entire case. There is some deep dive ... Read more

Comprehensive Forensic Chat Examination with Belkasoft

Call logs, SMSes, emails, social networks communications and, of course, chats in instant messengers can give you a lot of important information in a course of a forensic investigation. Let's see how one single chat product can be examined from ... Read more

Subscribe to our Newsletter