RA2005: Make A Volatile Memory Capture
Summary
| ID | RA2005 |
|---|---|
| Brief Description | Make a volatile memory capture |
| Author | @ERMACK_COMMUNITY |
| Creation Date | 2023/03/13 |
| References | |
| Response Stage | Identification |
Description
By downloading and running FTK Imager, winpmem or another utility from an external drive. Volatile data provides valuable forensic information and is straightforward to acquire.
Volatile data
Volatile data is useful to perform analysis on command line history, network connections, etc. Use “Volatility” if possible. Take a triage image - Use tools like EDR, FastIR, DFIR Orc, KAPE with preconfigured profiles.
Or full disk copy image - With tools like dd, FTKImager, etc