Surviving Digital Forensics: RAM Extraction Fundamentals

Learn how to apply RAM extraction basics and get hands on experience using RAM capture tools - including Inception
3.9 (23 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
382 students enrolled
Take This Course
  • Lectures 21
  • Length 1 hour
  • Skill Level All Levels
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works


Find online courses made by experts from around the world.


Take your courses with you and learn anywhere, anytime.


Learn and practice real-world skills and achieve your goals.

About This Course

Published 5/2015 English

Course Description

All course may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.

Conducting a RAM extraction as part of the computer evidence collection process is a front line examiner skill which becoming more and more in demand. A system's live memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can dig out evidence of hidden malware processes, user activity and encryption keys or password hashes that may be critical to accesses protected data.

This class provides you with the foundation knowledge to help you make better decisions about why or why not to capture live memory. It also gives you hands on experience using a number of freely available RAM capture tools and covers the advanced topic of using Inception.

  • Learn why RAM extractions are important and how the data can affect your case.
  • Practical exercises give you hands on experience with different RAM extraction tools.
  • Learn how to evaluate and benchmark your RAM capture tools.
  • Learn how to use PALADIN to launch INCEPTION to gain access to password protected systems in order to extract RAM.
  • Learn all of this in about one hour using all freely available tools.

What are the requirements?

  • You will need a Windows 7/8 system
  • I recommend you use either a virtual machine or test system to do the RAM capture practicals on
  • A USB Hard Drive is recommended to use as your RAM collection media (USB flash drives are acceptable)
  • All the ram capture tools are open source and provided as part of the class
  • You will need to download PALADIN (open source ISO) from SUMURI.COM for the INCEPTION practical

What am I going to get from this course?

  • Learn why RAM extractions are important to computer forensic investigations
  • Learn what types of valuable data may be stored in memory
  • Learn what to consider when making the decision to capture RAM
  • Get hands on experience using different RAM capture tools
  • Learn how to evaluate and benchmark your RAM extraction tools
  • Learn how to use INCEPTION to access password protected systems in order to capture RAM

Who is the target audience?

  • This course is designed for computer forensic examiners that conduct on-scene triage and data collection
  • This course is appropriate for IT professionals that wish to learn more about RAM extraction fundamentals and tools
  • This course is appropriate for students that wish to learn more about RAM extraction fundamentals and get experience with RAM capture tools

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.


Section 1: Introduction

Welcome to the SDF Series!


A few tips to help you get the most out of this training.

Section 2: RAM Extraction Fundamentals

A look at what Windows systems store in RAM and its related forensic value.


Factors to consider when deciding whether or not to extract RAM.


Let's talk about hardware choices and how they affect RAM extractions.

Section 3: Hands-On with RAM Tools

Here are the tools I am using in class.


What we hope to accomplish in this section as well as a discussion on the different modes RAM tools use.


A look at DumpIt as a RAM extraction option.


Let's see DumpIt in action and get some experience with it.


A look a RAM Capturer as a RAM extraction option.


Let's see Ram Capturer in action and get some experience with it.


Next, let's look at Magnet's RAM Capture tool.


Let's see Magnet's RAM Capture Tool in action and get some experience with it.


Sometimes it gets a bad rap, but FTK Imager can be a valid RAM capture option. Let me explain why.


Let's see FTK Imager in action and get some experience with it.

Section 4: Using Inception

A free forensic boot disc loaded with open source available forensic tools.


In this section I will show you a boot disc that has Inception preloaded on it and walk you through the process of running a DMA attack in order to attempt to capture RAM. First, let's take a look at what Inception is and when you may use it.


Let's take a look at using Inception with PALADIN.


This is another RAM extraction option.

Section 5: Conclusion

A review of the class.

Comprehension Quiz
5 questions

Thank you for joining me in another edition of the Surviving Digital Forensics series, I hope you enjoyed the class. Visit us at SUMURI.COM to learn more about the SDF series, our other training, the SDF BLOG, and more.

Follow me on Twitter @LeclairDF to keep up to date on the latest happenings and upcoming courses in the SDF series. If you have an idea for a class let me know!

Also, be sure to check out our YouTube channel: SumuriNews.

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Michael Leclair, Computer Forensic Analyst

Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.

Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+

Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.

Ready to start learning?
Take This Course