From RAM to Evidence (Part 1): Capturing Volatile Memory on Windows

"RAM is like a crime scene in motion — if you don’t capture it fast, it’s gone forever."

*"This is the first article of the Memory Forensics series, where we explore how volatile memory can be acquired and preserved for use in investigations.

In this part, we focus on memory acquisition—the process of capturing live RAM from a Windows machine before it disappears. RAM holds valuable data such as running processes, credentials, injected code, and command-and-control activity. Unlike disk evidence, however, it vanishes once power is lost, making proper acquisition both time-sensitive and critical.

Here, we’ll walk through the key decisions to make before hitting ‘capture’, introduce tools like FTK Imager and procdump64, and outline practical steps to ensure integrity when acquiring memory."*

Before diving into tools, let's first look at what to consider when planning a memory acquisition.

Planning Memory Acquisition: Key Considerations

Tools like FTK Imager or DumpIt are only the final step in memory acquisition — the real work begins with planning. Before capturing, ask yourself :

What regions of memory are relevant to my case? How will I acquire them, what format will my tools accept, and how will I prove integrity?

(Skipping these questions risks producing incomplete, noisy, or even unusable evidence)

Do you really need the whole RAM?

A full memory dump captures everything, but it is often bulky and noisy. In many cases, a smaller snapshot is sufficient.

For instance, if malicious code is injected only into a browser process, capturing the entire RAM may be unnecessary- a targeted process dump will save both time and reduce noise.

File Formats That Matter:

Memory dumps come in different formats, each serving specific tools and use cases. The key is to choose a format that your analysis stack supports:

Approaches to Memory Acquisition

Memory can be captured in different ways, and each approach comes with trade-offs.

• Local Acquisition→ Tool runs directly on the target machine, which requires physical access.

• Remote Acquisition→ Captures memory over the network, convenient but increases security risk.

• Hardware Acquisition→ Specialized PCIe or DMA devices pull memory outside the OS, Very clean but often expensive.

Below are some of the most commonly used tools.

"After selecting the right acquisition method and tool, the next step is applying in practice. Let's walk through how to capture memory on Windows."

Memory Acquisition on Windows: Practical

For this exercise, we will use a Windows 11 workstation with FTK Imager and Sysinternals Suite installed.

Acquiring volatile memory on a Windows machine is a critical step in incident response. In this walk-through, we will demonstrate:

1. Full memory dump using FTK Imager: Captures entire RAM for comprehensive analysis.

2. Process memory dump with procdump64.exe from the Sysinternals Suite- targets a specific process (e.g, explorer.exe)

3. Small crash dumps- Configuring the system to generate dumps automatically during failures.

Since the dumps will later be analyzed with Volatility, it is important to ensure that the formats are compatible. Volatility supports a wide range of dump types, including:

• Raw physical memory (.raw/.mem)

• Windows crash dumps (32/64-bit)

• Windows hibernation files

• VMware (.vmss, .vmsn)

• VirtualBox core dumps

• LiME (Linux Memory Extractor)

• QEMU VM memory dumps

After each acquisition, always generate a hash (MD5 and SHA256) to verify integrity. This ensures that the data you analyze later is identical to what was captured originally.

Note: SHA256 is preferred in modern practice. MD5 is still used for legacy compatibility.

Full Memory Capture (FTK Imager)

To acquire a full memory dump, we'll use FTK Imager, a widely trusted forensic tool.(GUI-based, Portable option, trusted in court)

FTK Imager can be downloaded from Exterro's official website:

Steps to Capture Memory

1. Run FTK Imager as Administrator

   Open FTK Imager with administrative privileges. This ensures the tool can access system memory

2. Navigate to File → Capture Memory

   In the menu bar, go to File and select Capture Memory

3. Select the Destination path and the File name

   Choose the memory image path and provide a file name

   (It is a good practice to include date/time in the destination file name for traceability e.g.., CaseID_Hostname_Date_Time.mem)

4. (Optional) Include pagefile

   You may choose to skip including the pagefile to reduce size, as I did in this example.

   
   

5. Start Capture

   Click OK to begin the acquisition. Depending on the system RAM size, this may take several minutes.

6. Verifying the Hash of the Dump

   After acquisition, generate a hash MD5/SHA256 using PowerShell or any hashing tool (HashCalc, md5deep). This ensures the memory image you analyze is identical to the one captured.

Note: Always document the generated hash values in your case notes for the chain of custody

The command:

                    Get-FileHash -Path "Filepath"

Note: By default, PowerShell uses SHA256 if you don't explicitly specify an algorithm. You can explicitly choose another hash type using the -Algorithm parameter

                Get-FileHash -Path "Filepath" -Algorithm MD5

Process Memory Dump with procdump64

For a targeted dump, we can use Sysinternals ProcDump. In this example, we capture the memory of the explorer.exe process. (explorer.exe is always running under a user session; attackers often inject malicious code into it. Capturing this process helps detect injections or persistence mechanisms.)

Download from the official site: https://learn.microsoft.com/en-us/sysinternals/downloads/sysinternals-suite

Steps to Capture a Process Dump

1. Open PowerShell as Administrator.

   
   

2. Navigate to the Sysinternals folder

                        cd "FilePath"

3. Run the Procdump command

\procdump64.exe -ma explorer.exe ".memfilepath" -accepteula

Have a closer look at the options included in the command:

• -ma: Captures a full memory dump of the process.

  (The default option is a minidump (-mm), which only contains basic information about the process.)

• Use the -h command to view all available flags 

• explorer.exe: The target process whose memory is being dumped.

• -accepteula: Automatically accepts the sysinternals agreement so the tool can run without prompting the user.

4. Verifying Hash of Dump

Alternatives for Memory capture on Windows

While FTK Imager and ProcDump are widely used, several other tools can be used depending on the use case:

For Full Memory Dumps:

• Magnet RAM Capture → Free tool, lightweight, works well on most Windows versions.

  Link: https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/#resource-bottom-content

• Belkasoft Live RAM Capturer 

  Link: https://belkasoft.com/trial

• WinPmem → Open-source, supports raw dumps (.raw, .mem), integrates well with Volatility.

  Link: https://github.com/Velocidex/WinPmem/releases

  
  

For Process Dumps (Targeted):

• Task Manager (Windows 10/11) → Right-click a process → Create Dump File. Simple but limited.

• Process Explorer (Sysinternals) → GUI alternative to ProcDump, with right-click dump option.

  
  

  

• Process Hacker → Another GUI tool, useful for capturing process memory, threads, and handles.

Note: Always test these tools in a lab before using them in the field. Some may cause system instability or be blocked by endpoint security solutions.

Configuring Crash Dumps on Windows 11

Windows can be configured to automatically create a memory dump file whenever the system crashes. This is not a replacement for full memory capture, but it provides additional coverage and can be helpful.

Steps to configure crash dumps

1. Press Win + R, type sysdm.cpl, and hit Enter.

2. Go to Startup and Recovery Settings

   Navigate to:

   Advanced --> Startup and Recovery --> Settings

3. Choose Memory Dump

   Under Write debugging information, which dump to choose will depend on your use case.

   
   

Note: Crash dumps only trigger during system failures.

From Lab to Field: Practical Notes & Real-World Scenarios:

Memory forensics in the lab is straightforward. In the field, it rarely is. Here are some realities to keep in mind when acquiring memory on Windows:

System State

• Sleep → You’ll need to wake the system before using tools. Act fast, as RAM changes once active.

• Hibernate → Collect hiberfil.sys, since it contains RAM contents at power-down.

• Crashed system → Use configured crash dumps as fallback evidence.

  
  

Security Tools

• EDR/AV may block dumps (e.g., LSASS). If blocked, capture full memory instead of a process dump.

  
  

Storage & Size

• Full dumps can be tens of GBs. Always dump to external media to avoid overwriting host artifacts.

  
  

Time Sensitivity

• Malware and ransomware often clean traces in memory. The sooner you capture, the better.

  
  

Virtual Environments

• If the target is a VM, use hypervisor snapshots (.vmsn, .vmss, .vmem) instead of in-guest tools when possible.

  
  

Tools & Portability

• Use portable versions (e.g., FTK Imager Lite, WinPmem from USB) to avoid altering the system.

• Avoid installing new software on the suspect host unless absolutely necessary.

  
  

Chain of Custody

• Document who, what, when, and how for each acquisition.

• Always generate and record hashes (SHA256 preferred) immediately after capture.

"HAPPY LEARNING! And I will see you in the 2nd part."