¡Capturar el contenido de la memoria RAM con la herramienta gratuita de Belkasoft!

Descargar ahora

Belkasoft Live RAM Capturer es una diminuta herramienta forense gratuita que permite extraer de manera segura el contenido completo de la memoria volátil de una computadora, incluso si está protegido por un sistema anti-depuración o anti-dumping activo. Están disponibles las compilaciones de 32 y de 64 bits para minimizar la huella de la herramienta lo más posible. Los volcados de memoria capturados con Belkasoft Live RAM Capturer se pueden analizar con la opción Análisis de la memoria RAM en Belkasoft Evidence Center. Belkasoft Live RAM Capturer es compatible con todas las versiones y ediciones de Windows, XP, Vista, Windows 7, 8 y 10, 2003 y 2008 Server incluidos.

¿Por qué es imprescindible capturar un volcado de memoria RAM?

Los volcados de memoria es una valiosa fuente de evidencia efímera e información volátil. Pueden contener las contraseñas de los volúmenes cifrados (TrueCrypt, BitLocker, PGP Disk), los credenciales para los servicios de webmail y redes sociales como Gmail, Yahoo Mail, Hotmail; Facebook, Twitter, Google Plus; los servicios de intercambio de archivos como Dropbox, Flickr, SkyDrive, etc.

Con el fin de extraer evidencia efímera de los volcados de memoria capturados, los peritos forenses necesitan usar un software de análisis adecuado, como Belkasoft Evidence Center. Además, algunas otras herramientas se pueden usar para extraer las contraseñas de los volúmenes cifrados (por ejemplo, Elcomsoft Forensic Disk Decryptor).

Designed to Bypass Active Anti-Debugging and Anti-Dumping Protection

Acquiring volatile memory from a computer running a debugging protection or anti-dumping system is tricky. Most memory acquisition tools run in the system’s user mode, and are unable to bypass the defense of such protection system (which run in the systems’ most privileged kernel mode).

Belkasoft Live RAM Capturer is designed to work correctly even if an aggressive anti-debugging or anti-memory dumping system is running. By operating in kernel mode, Belkasoft Live RAM Capturer plays on the same level with these protection systems, being able to correctly acquire address space of applications protected with the most sophisticated systems such as nProtect GameGuard.

Creates Forensically Sound Memory Dumps

Belkasoft Live RAM Capturer features the smallest footprint possible, does not require installation and can be launched in seconds from a USB flash drive. Unlike many competing tools running in system’s user mode, Belkasoft Live RAM Capturer comes equipped with 32-bit and 64-bit kernel drivers allowing the tool to operate in the most privileged kernel mode. Memory dumps acquired with Belkasoft Live RAM Capturer can be then analyzed with Belkasoft Evidence Center Live RAM Analysis.

Compared to Other Volatile Memory Capturing Tools

Belkasoft Live RAM Capturer beats many popular memory dumping applications hands down due to the difference in design goals. Current versions of competing tools (AccessData FTK Imager 3.0.0.1443, PMDump 1.2) operate in the system’s user mode, which makes them susceptible to anti-dumping activities performed by active debugging protection systems such as nProtect GameGuard.

An internal comparison between Belkasoft Live RAM Capturer and latest versions of competing RAM acquisition tools demonstrated the ability of Belkasoft Live RAM Capturer to acquire an image of a protected memory set while the other tools returned an empty area (FTK Imager) or random data (PMDump).

Tools tested:

AccessData FTK Imager 3.0.0.1443
PMDump 1.2
Belkasoft Live RAM Capturer 1.0

Testing methodology: we launched Karos, a computer game protected with nProtect GameGuard. Then we performed an active chat session, and tried acquiring the complete memory dump of the system with all three memory dumping tools. We then analyzed the memory set belonging to the protected game.

The results:

AccessData FTK Imager 3.0.0.1443 contained all zeroes in place of actual data for the protected memory set;
PMDump 1.2 returned random data;
Belkasoft Live RAM Capturer 1.0 correctly acquired the protected memory set.

Consequences of Using a Wrong Tool

Many applications protect their memory sets against dumping. Such applications include multi-player online games, malware, custom and commercial products protected with active anti-debugging systems. In mild scenarios (e.g. commercial products and games), an attempt to read a protected memory area will simply return empty or garbage data instead of the actual information.

In worst-case scenarios, an anti-debugging system detecting an attempt to read protected memory areas may take measures to destroy affected information and/or cause a kernel mode failure, locking up the computer and making further analysis impossible. This is what typically happens if a user-mode volatile memory analysis tool is used to dump content protected with a kernel-mode anti-debugging system.

Compatibility and System Requirements

Belkasoft Live RAM Capturer is compatible with 32-bit and 64-bit editions of Windows including XP, Vista, Windows 7/8/10, 2003 and 2008 Server. The tool does not require installation, and can be launched in seconds from a USB thumb drive.

Download now

Articles

Sneak peek of Belkasoft X v.1.14

Belkasoft is happy to announce an upcoming release of Belkasoft X, the company's flagship digital forensics, incident response and eDiscovery product. ... Read more

Forensic Extraction of Data from Mobile Apple Devices with Belkasoft Products

This article examines the fundamentals of a forensic examination covering Apple mobile devices. A step-by-step guide describing the process of forensic data extraction and analysis exemplified by Apple mobile devices (iPhone) will be given below. ... Read more

Subscribe to our Newsletter