Memory Acquisition

Live System Memory acquisition:

WinPMEM MagnetForensicsRamCapture Belkasoft Live Ram Capture F-Response FTKImager

Pagefile.sys

modern systems built around virtual and paged memory. page files are heavily used on systems with lots of ram as a collection of data from the memory (overflow/ not immediate short term memory)

Dead System Memory Acquisition:

# Hibernation File: 
%SystemDrive%\hiberfil.sys

# Page and Swap files: 
%SystemDrive%\PageFile.sys
%SystemDrive%\SwapFile.sys #(Win8+/2012+)
### Reg Key
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

# Kernel memory dumps: 
%SystemRoot%\MEMORY.DMP
### Registry key to set: 
SYSTEM\CurrentControlSet\Control\CrashControl

Hibernation File:

Created on file hibernation and is a copy of the RAM at the time of system hibernation.

Conversion can be done automatically in MemProcFS or Volatility (1/2), optionally using the Hibr2bin executable. Other tools include: Axiom, BulkExtractor, Belkasoft Evidence Centre and PassWare

PreviousWindows NextCode Injection

Last updated 1 year ago