Why RAM dumping?

Volatile memory, or RAM, is used to store data currently used by a running process: whether it is a user application or a system service. This type of memory is much quicker than a regular hard drive but unlike files permanently stored on a drive (unless deleted), data from RAM may disappear instantly. At the same time, it may store data crucial for your case, including passwords in raw format without encryption or encoding, decrypted data otherwise kept encrypted on a drive, decryption keys for various services, apps and WDE, remote sessions data, chats in social networks, malware code, cryptocurrency transactions, various system info such as loaded registry branches, and so on.

This is why it is not argued that capturing RAM contents must be one of the first steps in seizing a running computer or laptop. You can read more on the topic in one of Belkasoft's articles. The article is still quite up-to-date and relevant, with the exception of a freezer attack, which we have not heard about since then and which looks to not be repeatable anymore.

Requirements for a RAM dumping tool

There are a number of requirements for a RAM dumping tool, including the following:

  1. Portability
  2. Kernel-mode operation
  3. Least possible footprint

The last requirement includes obvious items like not writing a dump to a hard drive of a computer that is being captured, leaving as few traces on a host computer registry as possible and not using the Windows' Temp folder. It also implies that the tool executable files and dynamically linked libraries occupy as small of a volume of volatile memory as possible: otherwise the tool is going to overwrite potentially useful data with its own code and thus make a part of the data unavailable.

This is one of the reasons why we regret to see recommendations repeated year after year on the use of tools not specifically designed for RAM capturing. It seems obvious that if a tool has multiple functions, the extra functionality occupies more space than is needed when an executable is loaded into RAM. We strongly believe that a digital forensic investigator or an incident responder must use only tools solely devoted to one single function—capturing RAM.

Because of these reasons, we would like to make a suggestion to consider the next time you are preparing for choosing your next RAM capturing tool:

  1. The tool must have a single function: to dump RAM
  2. Portability
  3. Kernel-mode operation
  4. Least possible footprint

Tools we recommend

Based on these requirements, we can recommend the following tools:

Why Belkasoft Live RAM Capturer?

Our Belkasoft Live RAM Capturer is a free tool, which complies with all of the above requirements. It produces an output in raw format—uncompressed, unencrypted, unencoded. Thus, its results can be analyzed with any tool of your choosing, without binding you to our Belkasoft X product (which is an excellent product to analyze memory dumps by the way). When we say 'free tool', it actually means free, with no strings attached.

There were numerous studies, which found Belkasoft Live RAM Capturer among the best or one of the few best tools for capturing volatile memory. To avoid being non-objective, we would like to share third-party articles and overviews of our Live RAM Capturer tool:

Have you seen any other comparisons? Please share with us at sales@belkasoft.com!


In this article, we have briefly reviewed why a digital forensic investigator and cyber incident responder need a volatile memory (RAM) dumping tool and what the requirements for such tool selection, should be. Apart from portability, kernel mode action and smallest footprint possible, we suggested to have a fourth requirement: the tool must have single feature of RAM dumping only. When it comes to making recommendations, we suggest our Live RAM Capturer tool and a third-party tool, dumpit. Finally, we listed a few third-party articles comparing available tools. In most of these articles, Belkasoft Live RAM Capturer is considered the best or one of the few best tools for RAM dumping.

See also

Other Belkasoft articles