Analyze RAM/Volatile Memory

Belkasoft Evidence Center 2012 offers the ability to analyze the content of computer’s RAM (volatile memory) by processing memory dumps, hibernation files and page files. Available in Evidence Center Professional and Forensic Studio Ultimate edition, the functionality offers forensic experts an opportunity to discover more evidence than is available on the hard drive alone.

RAM (Volatile Memory) Analysis Reveals More Evidence

Volatile memory (RAM) contains the most recent data such as recent chat conversations, social network communications, currently open Web pages, and decrypted content of files that are stored encrypted on the hard disk. Live RAM/volatile memory analysis reveals information used by various applications during their operation, including Facebook, Twitter, Gmail and other communications.

The ability to analyze RAM/volatile memory is one of the reasons to never shut down computers at the time of their acquisition. Forensic specialists acquiring a running PC should always capture appropriate memory dumps before unplugging the PC and extracting the hard drive. However, even if the PC has not been acquired properly, volatile memory content can still be available for analysis in the form of page file(s) and hibernation file.

How to Analyze Volatile Memory with Belkasoft Evidence Center

In order to analyze volatile memory content, investigators need a valid license for Evidence Center Pro, Forensic Studio Ultimate or the Enterprise edition.

To begin RAM analysis, launch Belkasoft Evidence Center and launch the Carve Device wizard. In the following window, select the Live RAM image file (pagefile.sys, hiberfil.sys, memory dumps) option.

To continue analyzing RAM/volatile memory, specify a valid path to a hibernation or swap file of interest. After you click Finish, the specified file will be carved for Live RAM artifacts it may contain. Just like the computer’s actual volatile memory, the content of page and hibernation files may not contain as many artifacts as the hard drive. However, even a small amount of additional evidence is better than nothing. You can download sample hibernation, page file and memory dump from Belkasoft Web site. The content of the sample RAM image includes Skype 4 and Yahoo! Messenger messages, Internet Explorer and Gmail activities.

Articles

"Does your DFIR tool have substantial updates?"

In his new article, Brett Shavers from DFIR.training talks about new features of Belkasoft Evidence Center 9.7. He notes that "BEC’s v9.7 update adds quite a few artifacts that some suites don’t even try to examine". He overviews the most ... Read more

Countering Anti-Forensic Efforts - Part 1

Computer forensic techniques allow investigators to collect evidence from various digital devices. Tools and techniques exist allowing discovery of evidence that is difficult to get, including destroyed, locked, or obfuscated data. At the same ... Read more

Subscribe to our Newsletter