In this second part of the Memory Forensics series, we explore how to capture volatile memory on Linux. From tools like LiME and AVML for full memory acquisition to gcore for process dumps, we break down practical steps, best practices, and real-world considerations. While Windows tools are straightforward, Linux offers flexibility—and complexity—that every investigator should master.

Memory forensics begins with acquisition. In this first part of our series, we walk through capturing volatile memory on Windows using FTK Imager, ProcDump, and crash dumps. Learn how to choose the right dump type, preserve evidence integrity with hashing, and apply best practices for real-world investigations.

In digital forensics, every minute counts. Imaging an entire disk is thorough but painfully slow, while manual collection is precise but inefficient. KAPE bridges the gap — portable, fast, and designed to give investigators early leads without the wait.