Generation 1, vs. USB 3.1 Generation 2), and other activities occurring on the system at the same time.
Therefore, if the copying process takes several minutes to complete, pages copied early in the process
may contain totally different data by the time the last page is copied. If too many changes occur during
the RAM capture, the resulting RAM dump may end up being corrupted to the point that analysis is not
possible. To help minimize this risk, do not interact with the system while capturing RAM any more than
is necessary. Also remember that most tools only capture the data that is in RAM at the time of capture,
so if data has been paged out to disk, that data will usually not be captured. Tools such as the Pmem
suite can also capture the data paged to disk, but your analysis tool may not be able to fully process the
paged data. When capturing RAM with any tool, also consider interrogating the system at the command
line or capturing data about processes, connections, etc. using an agent such as Velociraptor or an
Endpoint Detection and Response (EDR) tool immediately after RAM capture to ensure that you have
actionable data collected in case the RAM dump is not able to be parsed correctly by memory forensics
tools.
Analysis of memory stored on disk, like crash dumps, page files, and hibernation files, is a bit different
than data captured from a RAM dump. Page files lack the context necessary to completely interpret
their data since they only contain fragments that were previously stored in RAM. Nonetheless, usable
data may be recovered from page files, so they are worth examining. While the normal location of the
page file is C:\pagefile.sys on Windows systems, additional or alternate locations can be specified by
modifying the PagingFiles value located in the HKLM/SYSTEM/CurrentControlSet/Control/Session
Manager/Memory Management key. It is therefore best practice to double check that registry setting
when analyzing a disk image for paged RAM data.
You may alo find data that was previously in RAM in crash dumps created by the operating system when
problems are encountered. If configured to create crash dumps, your system may place them in the
%SystemRoot% folder with the name Memory.dmp. For additional details on configuration options, see
this article. Crash dumps are not raw memory captures but have headers containing metadata about
the dump. These dumps are designed to be analyzed with the Windows Debugger, WinDbg, but if they
are a full memory dump, memory forensics tools may be able to parse these files to provide information
about the state of the system at the time the crash occurred.
Windows hibernation files are another potential source of memory data. When a computer goes into
hibernation mode, the contents of RAM are compressed and copied to disk in a file called hiberfil.sys in
the root of the system drive. This also occurs in support of the Windows fast startup mode, so
hiberfil.sys may be found on desktop or laptop computers. The imagecopy plugin can convert a
hibernation file to a raw memory dump for analysis. Note that the act of hibernating will have an impact
on network connections that may have been active when the system went into the reduced power
mode, and therefore information about active network connections may be altered.
Virtual Machine (VM) memory can be acquired as if the VM were a running bare metal system, or in
some cases through the hypervisor itself. For example, VMware can create memory dump files in its
own format by taking a snapshot or suspending the virtual machine. Depending on the version of
VMware and how the files are created, RAM data may be found in files with extensions .vmem, .vmss, or
.vmsn. Additional processing with tools like vmss2core may be needed to extract a usable memory
dump. You should consult your hypervisor vendor for the proper files and process to extract a memory
dump from a snapshot or suspended virtual machine.