Capture Live RAM Contents with Free Tool from Belkasoft!
Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably
extract the entire contents of computer’s volatile memory – even if protected
by an active anti-debugging or anti-dumping system. Separate 32-bit and 64-bit
builds are available in order to minimize the tool’s footprint as much as possible.
Memory dumps captured with Belkasoft Live RAM Capturer can be analyzed with
Live RAM Analysis in Belkasoft Evidence Center. Belkasoft Live RAM Capturer
is compatible with all versions and editions of Windows including XP, Vista,
Windows 7, 8 and 10, 2003 and 2008 Server.
Why Memory Dump Is the First Thing To Do During the Acquisition
Memory dumps are a valuable source of ephemeral evidence and volatile information.
Memory dumps may contain passwords to encrypted volumes (TrueCrypt, BitLocker, PGP
Disk), account login credentials for many webmail and social network services such
as Gmail, Yahoo Mail, Hotmail; Facebook, Twitter, Google Plus; file sharing services
such as Dropbox, Flickr, SkyDrive, etc.
In order to extract ephemeral evidence out of already captured memory dumps,
forensic experts must use proper analysis software such as Belkasoft Evidence Center.
Besides, some other tools can be used to extract passwords to encrypted volumes.
Designed to Bypass Active Anti-Debugging and Anti-Dumping
Acquiring volatile memory from a computer running a debugging protection or anti-dumping
system is tricky. Most memory acquisition tools run in the system’s user mode, and
are unable to bypass the defense of such protection system (which run in the systems’
most privileged kernel mode).
Belkasoft Live RAM Capturer is designed to work correctly even if an aggressive
anti-debugging or anti-memory dumping system is running. By operating in kernel
mode, Belkasoft Live RAM Capturer plays on the same level with these protection
systems, being able to correctly acquire address space of applications protected
with the most sophisticated systems such as nProtect GameGuard.
Creates Forensically Sound Memory Dumps
Belkasoft Live RAM Capturer features the smallest footprint possible, does not
require installation and can be launched in seconds from a USB flash drive. Unlike
many competing tools running in system’s user mode, Belkasoft Live RAM Capturer
comes equipped with 32-bit and 64-bit kernel drivers allowing the tool to operate
in the most privileged kernel mode. Memory dumps acquired with Belkasoft Live RAM
Capturer can be then analyzed with Belkasoft Evidence Center Live RAM Analysis.
Compared to Other Volatile Memory Capturing Tools
Belkasoft Live RAM Capturer beats many popular memory dumping applications hands
down due to the difference in design goals. Current versions of competing tools
(AccessData FTK Imager 126.96.36.1993, PMDump 1.2) operate in the system’s user mode,
which makes them susceptible to anti-dumping activities performed by active debugging
protection systems such as nProtect GameGuard.
An internal comparison between Belkasoft Live RAM Capturer and latest versions
of competing RAM acquisition tools demonstrated the ability of Belkasoft Live RAM
Capturer to acquire an image of a protected memory set while the other tools returned
an empty area (FTK Imager) or random data (PMDump).
- AccessData FTK Imager 188.8.131.523
- PMDump 1.2
- Belkasoft Live RAM Capturer 1.0
Testing methodology: we launched Karos, a computer game protected with nProtect
GameGuard. Then we performed an active chat session, and tried acquiring the complete
memory dump of the system with all three memory dumping tools. We then analyzed
the memory set belonging to the protected game.
- AccessData FTK Imager 184.108.40.2063 contained all zeroes in place of actual
data for the protected memory set;
- PMDump 1.2 returned random data;
- Belkasoft Live RAM Capturer 1.0 correctly acquired the protected memory
Consequences of Using a Wrong Tool
Many applications protect their memory sets against dumping. Such applications
include multi-player online games, malware, custom and commercial products protected
with active anti-debugging systems. In mild scenarios (e.g. commercial products
and games), an attempt to read a protected memory area will simply return empty
or garbage data instead of the actual information.
In worst-case scenarios, an anti-debugging system detecting an attempt to read
protected memory areas may take measures to destroy affected information and/or
cause a kernel mode failure, locking up the computer and making further analysis
impossible. This is what typically happens if a user-mode volatile memory analysis
tool is used to dump content protected with a kernel-mode anti-debugging system.
Compatibility and System Requirements
Belkasoft Live RAM Capturer is compatible with 32-bit and 64-bit editions of
Windows including XP, Vista, Windows 7/8/10, 2003 and 2008 Server. The tool does
not require installation, and can be launched in seconds from a USB thumb drive.
Since this article was published, FTK Imager got a kernel-mode driver.
However, you may still consider to compare size of an executable file to select
a capturer with minimum footprint.