Acquire RAM for Forensics Testing

In a previous article we talked about how to perform digital forensics testing of RAM using Volatility framework. But we didn't talk about how we can acquire Random Access Memory (RAM) for a digital forensics test.

Here we use FTK Imager (Forensic Toolkit Imager) for our memory capturing job. We can install on a Windows computer (latest version of FTK Imager 4.5 comes for Windows only). After that we can acquire RAM.

Acquire RAM data for digital forensics using FTK Imager

FTK Imager can acquire primary storage systems also, but there are lots of article there in the internet about it. Here we are going to about how we can acquire a system's volatile memory (RAM) for forensics purpose.

First of all we need to download the latest FTK Imager tool from the official website https://accessdata.com/product-download/ftk-imager-version-4-5.

ftkimager dowload

After clicking on "Download Now" we got a page to fill up a form and we need to put our mail-id there and then the download link will be mailed to us as we can see the following screenshot:

ftkimager download link in mail
Here we can click to "Download FTK Imager" button. We need to click here then the download process will be started. This will be a less than 50MB exe file.

After downloading we can install it as other Windows applications. Then we just need to run it as an administrator, shows in the following screenshot:

ftk imager run as admin
Then FTK Imager will open in front of us as we can see in the following screenshot:

ftkimager home screen
After this we click on the "File" located top left corner. Then we click on "Capture Memory" in the drop down menu. Showed in thee following screenshot:

capture Memory on FTK Imager

Then a popup box will open, here we can browse the destination folders path, where we want to save the acquired memory dump. Shown in the following screenshot:

fftkimager set destination path

After choosing the output folder we need to check (✅) for pagefile and AD1 file.

FTK Imager set for acquire RAM

Then we just need to click on "Capture Memory" and the memory acquiring will started. Shown in the following screenshot:

memory acquiring on ftk imager
After finishing the memory acquiring it will start capturing pagefile and AD1 file, as the following screenshot:

creating AD1 file ftkimager

Once the acquisition is completed, we can click on the "Close" button, as shown in the following screenshot:

ftkimager ram acuring complete

Now we are Done. We can see the output files on our selected destination folder.

FTK Imager captured RAM dump
Now we can easily test this .mem file using Volatility on Kali Linux machine. We had talked about Volatility and it's uses previously.

This is how can capture RAM for forensics testing. RAM's data is very volatile, when there are no electrical charge or current in the RAM chip. With the data on RAM being the most volatile, it ranks high in the order of volatility and must be forensically acquired and preserved as a matter of high priority.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.

AIX

Posting Komentar

Lebih baru Lebih lama