search

Memory Acquisition

hashtag
Live System Memory acquisition:

WinPMEMarrow-up-right MagnetForensicsRamCapturearrow-up-right Belkasoft Live Ram Capturearrow-up-right F-Responsearrow-up-right FTKImagerarrow-up-right

hashtag
Pagefile.sys

modern systems built around virtual and paged memory. page files are heavily used on systems with lots of ram as a collection of data from the memory (overflow/ not immediate short term memory)

hashtag
Dead System Memory Acquisition: 

# Hibernation File: 
%SystemDrive%\hiberfil.sys

# Page and Swap files: 
%SystemDrive%\PageFile.sys
%SystemDrive%\SwapFile.sys #(Win8+/2012+)
### Reg Key
SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

# Kernel memory dumps: 
%SystemRoot%\MEMORY.DMP
### Registry key to set: 
SYSTEM\CurrentControlSet\Control\CrashControl

hashtag
Hibernation File:

Created on file hibernation and is a copy of the RAM at the time of system hibernation.

Conversion can be done automatically in MemProcFS or Volatility (1/2), optionally using the Hibr2binarrow-up-right executable. Other tools include: Axiomarrow-up-right, BulkExtractor, Belkasoft Evidence Centrearrow-up-right and PassWarearrow-up-right

PreviousWindowsNextCode Injection

Last updated