Why RAM dumping?
Volatile memory, or RAM, is used to store data currently used by a running process: whether it is a user application or a system service. This type of memory is much quicker than a regular hard drive but unlike files permanently stored on a drive (unless deleted), data from RAM may disappear instantly. At the same time, it may store data crucial for your case, including passwords in raw format without encryption or encoding, decrypted data otherwise kept encrypted on a drive, decryption keys for various services, apps and WDE, remote sessions data, chats in social networks, malware code, cryptocurrency transactions, various system info such as loaded registry branches, and so on.
This is why it is not argued that capturing RAM contents must be one of the first steps in seizing a running computer or laptop. You can read more on the topic in one of Belkasoft's articles. The article is still quite up-to-date and relevant, with the exception of a freezer attack, which we have not heard about since then and which looks to not be repeatable anymore.
Requirements for a RAM dumping tool
There are a number of requirements for a RAM dumping tool, including the following:
- Portability
- Kernel-mode operation
- Least possible footprint
The last requirement includes obvious items like not writing a dump to a hard drive of a computer that is being captured, leaving as few traces on a host computer registry as possible and not using the Windows' Temp folder. It also implies that the tool executable files and dynamically linked libraries occupy as small of a volume of volatile memory as possible: otherwise the tool is going to overwrite potentially useful data with its own code and thus make a part of the data unavailable.
This is one of the reasons why we regret to see recommendations repeated year after year on the use of tools not specifically designed for RAM capturing. It seems obvious that if a tool has multiple functions, the extra functionality occupies more space than is needed when an executable is loaded into RAM. We strongly believe that a digital forensic investigator or an incident responder must use only tools solely devoted to one single function—capturing RAM.
Because of these reasons, we would like to make a suggestion to consider the next time you are preparing for choosing your next RAM capturing tool:
- The tool must have a single function: to dump RAM
- Portability
- Kernel-mode operation
- Least possible footprint
Tools we recommend
Based on these requirements, we can recommend the following tools:
- Belkasoft Live RAM Capturer
- Dumpit
Why Belkasoft Live RAM Capturer?
Our Belkasoft Live RAM Capturer is a free tool, which complies with all of the above requirements. It produces an output in raw format—uncompressed, unencrypted, unencoded. Thus, its results can be analyzed with any tool of your choosing, without binding you to our Belkasoft X product (which is an excellent product to analyze memory dumps by the way). When we say 'free tool', it actually means free, with no strings attached.
There were numerous studies, which found Belkasoft Live RAM Capturer among the best or one of the few best tools for capturing volatile memory. To avoid being non-objective, we would like to share third-party articles and overviews of our Live RAM Capturer tool:
- Memory forensics tools: Comparing processing time and left artifacts on volatile memory ("The results show that Belkasoft RAM Capturer has the least amount of artifacts left behind, and it also has the quickest processing time")
- Comparison of Memory Acquisition Software for Windows (by four criteria, Belkasoft Live RAM Capturer takes three first place and one second. Quote: "Yet, it is quite evident that based on the four metrics above, Belkasoft’s Live RAM Capturer is the best memory acquisition tool out of the four tools.")
- Memory Acquisition and Virtual Secure Mode (most popular tools give BSOD on systems with VSM enabled, while Belkasoft Live RAM Capturer does not)
- Impact Of Tools on The Acquisition Of RAM Memory ("The fastest tool has been Belkasoft Live RAM Capturer", "DumpIT tool consumes fewer resources, … the same as the Belkasoft RAM Capturer tool")
- In-Depth Analysis of Computer Memory Acquisition Software for Forensic Purposes ("Belkasoft's Live Ram Capturer is the fastest to obtain an image of the memory" and "We observed that Windows Memory Reader and Belkasoft's Live Ram Capturer leaves the least fingerprints in memory when loaded.")
- A comparison of windows physical memory acquisition tools
Have you seen any other comparisons? Please share with us at sales@belkasoft.com!
Conclusion
In this article, we have briefly reviewed why a digital forensic investigator and cyber incident responder need a volatile memory (RAM) dumping tool and what the requirements for such tool selection, should be. Apart from portability, kernel mode action and smallest footprint possible, we suggested to have a fourth requirement: the tool must have single feature of RAM dumping only. When it comes to making recommendations, we suggest our Live RAM Capturer tool and a third-party tool, dumpit. Finally, we listed a few third-party articles comparing available tools. In most of these articles, Belkasoft Live RAM Capturer is considered the best or one of the few best tools for RAM dumping.
See also
- Live Cyber Forensics Analysis with Computer Volatile Memory
- How to decrypt Full Disk Encryption
- A LinkedIn discussion on RAM dumping tools selection
- Memory forensic: acquisition and analysis of memory and its tools comparison
- Secrets of the treasurer’s laptop: digital forensic analysis helps solve cybercrime