Collecting Volatile Data
Legal, organizational, and technical aspects of data
acquisition are all equally important when acquiring ephemeral evidence.
The choice of tools and methods for capturing
volatile data is extremely important. The wrong
tool or the improper use of the right one may
render the entire acquisition useless (more on that
later). An attempt to use an inappropriate tool may
not only fail to produce meaningful results, but also
irreversibly destroy existing evidence.
It is essential to realize that acquiring volatile memory will inevitably leave an acquisition
footprint. While this may seem acceptable to the
law enforcement officer performing the acquisition,
convincing the court will be a different matter.
Proper documentation of every step of the acquisition process is essential for collecting evidence that
can withstand legal scrutiny.
In order to acquire the content of a computer’s volatile memory, the investigator will have to execute
a memory dumping tool, thus inevitably leaving an
acquisition footprint both in the volatile memory
and on the computer’s hard disk. Therefore, it is
essential to carefully weigh the benefits of RAM
acquisition against such drawbacks, taking into
account that dumping live RAM contents might
Proper documentation of every step of the
acquisition process is essential for collecting
evidence that can withstand legal scrutiny.
be the only way to obtain certain types of evidence
(such as decryption keys used to access encrypted
disk volumes that may contain orders of magnitude
more evidence than RAM alone).
Currently, most court systems are ready to recognize that a footprint is introduced by law enforcement during the acquisition process. For that to
be the case, the entire acquisition process must be
Live Box vs. Offline Analysis
Performing analysis on a running computer requires
a careful assessment of risk vs. potential benefits.
The first step of live box analysis should always
involve capturing a memory dump for off-line analysis. Should anything go wrong during the inves-
tigation of a running computer, the memory dump
can still be analyzed. After taking a memory dump,
continuing with live box analysis may be beneficial
if, for example, there is certain information stored
on remote servers and a network connection (e.g.
a secure VPN connection or an RDP session) is
established which may be lost when the computer is
The official ACPO Guidelines recommend the fol-
lowing standard procedure for capturing a memory
• Perform a risk assessment of the situation: Is it
evidentially required and safe to perform volatile
• If so, install a volatile data capture device (e.g.
USB Flash Drive, USB hard drive, etc.)
• Run the volatile data collection script.
• Once complete, stop the device (particularly
important for USB devices which if removed before
proper shutdown can lose information).
• Remove the device.
• Verify the data output on a separate forensic
investigation machine (not the suspect system).
• Immediately follow with standard power-off
Tools and Techniques for Capturing
A range of tools and methods are available to capture memory dumps. From the forensic perspective,
there are certain requirements that any such tool
must strictly conform to. In no particular order, the
list of essential requirements follows.
1. Kernel-mode operation. Kernel-mode operation is essential in a forensic memory capturing
tool. With many applications proactively protecting their memory sets against dumping, running a
memory acquisition tool that operates in user-mode
is simple suicide. At best, such tools will read zeroes
or random data instead of the actual information.
In a worst-case scenario, a proactive anti-debugging protection will take immediate measures to
effectively destroy protected information, then lock
up and/or reboot the computer, making any further
For this not to happen, investigators must use
a proper memory acquisition tool running in the
system’s most privileged kernel mode.
2. Smallest footprint possible. The smaller the
footprint left by a memory acquisition tool, the