The process of capturing the memory is known as dumping. The tools and methods of dumping the memory on a running computer differ with the Operating System.


One way to dump the memory under Windows is to use the dd tool from the Forensic Acquisition Utilities by George M. Garner Jr..

A sample command to achieve a dump is the following:

dd.exe if=\\.\PhysicalDrive0 of=d:\images\PhysicalDrive0.img conv=noerror

The conv=noerror will make dd continue even if there are errors reading the memory. Note also that if you specify a local drive to write the image to that you will need to specify the --localwrt option. This is necessary in the case of a real forensics scenario. You don't want to write to a drive and potentially destroy evidence.

Dumping the memory on Windows Server 2003 SP1 and Windows Vista will be difficult as there is no user-mode access to \Device\PhysicalMemory.





The DFWS 2005 Forensic Challenge was concerned with analyzing a RAM dump.

External LinksEdit