What you'll learn

Learn why RAM extractions are important to computer forensic investigations
Learn what types of valuable data may be stored in memory
Learn what to consider when making the decision to capture RAM
Get hands on experience using different RAM capture tools
Learn how to evaluate and benchmark your RAM extraction tools
Learn how to use INCEPTION to access password protected systems in order to capture RAM

Course content

5 sections • 21 lectures • 1h 7m total length

Welcome to the SDF Series!5:28
Welcome to the SDF Series!
Maximize your learning2:39
A few tips to help you get the most out of this training.

RAM Tools for Class0:17
Here are the tools I am using in class.
Goals and Modes2:34
What we hope to accomplish in this section as well as a discussion on the different modes RAM tools use.
DumpIt Overview1:42
A look at DumpIt as a RAM extraction option.
DumpIt in Action1:58
Let's see DumpIt in action and get some experience with it.
Belkasoft's RAM Capturer Tool Overview1:20
A look a RAM Capturer as a RAM extraction option.
Belkasoft's RAM Capturer Tool in Action1:44
Let's see Ram Capturer in action and get some experience with it.
Magnet RAM Capture Tool Overview1:33
Next, let's look at Magnet's RAM Capture tool.
Magnet RAM Capture Tool in Action2:43
Let's see Magnet's RAM Capture Tool in action and get some experience with it.
FTK Imager RAM Capture Overview2:50
Sometimes it gets a bad rap, but FTK Imager can be a valid RAM capture option. Let me explain why.
FTK Imager RAM Capture in Action3:51
Let's see FTK Imager in action and get some experience with it.

Download Paladin ISO0:27
A free forensic boot disc loaded with open source available forensic tools.
Inception Overview7:21
In this section I will show you a boot disc that has Inception preloaded on it and walk you through the process of running a DMA attack in order to attempt to capture RAM. First, let's take a look at what Inception is and when you may use it.
Inception in Action6:10
Let's take a look at using Inception with PALADIN.
Note about INCEPTION and RAM Capture0:22
This is another RAM extraction option.

Review2:52
A review of the class.
Comprehension Quiz
Thank you and final thoughts0:38
Thank you for joining me in another edition of the Surviving Digital Forensics series, I hope you enjoyed the class. Visit us at SUMURI.COM to learn more about the SDF series, our other training, the SDF BLOG, and more.

Follow me on Twitter @LeclairDF to keep up to date on the latest happenings and upcoming courses in the SDF series. If you have an idea for a class let me know!

Also, be sure to check out our YouTube channel: SumuriNews.

Requirements

You will need a Windows 7/8 system
I recommend you use either a virtual machine or test system to do the RAM capture practicals on
A USB Hard Drive is recommended to use as your RAM collection media (USB flash drives are acceptable)
All the ram capture tools are open source and provided as part of the class
You will need to download PALADIN (open source ISO) from SUMURI.COM for the INCEPTION practical

Description

Conducting a RAM extraction as part of the computer evidence collection process is a front line examiner skill which becoming more and more in demand. A system's live memory contains an assortment of valuable forensic data. A computer analyst trained in memory forensics can dig out evidence of hidden malware processes, user activity and encryption keys or password hashes that may be critical to accesses protected data.

This class provides you with the foundation knowledge to help you make better decisions about why or why not to capture live memory. It also gives you hands on experience using a number of freely available RAM capture tools and covers the advanced topic of using Inception.

Learn why RAM extractions are important and how the data can affect your case.
Practical exercises give you hands on experience with different RAM extraction tools.
Learn how to evaluate and benchmark your RAM capture tools.
Learn how to use PALADIN to launch INCEPTION to gain access to password protected systems in order to extract RAM.
Learn all of this in about one hour using all freely available tools.

Who this course is for:

This course is designed for computer forensic examiners that conduct on-scene triage and data collection
This course is appropriate for IT professionals that wish to learn more about RAM extraction fundamentals and tools
This course is appropriate for students that wish to learn more about RAM extraction fundamentals and get experience with RAM capture tools

What you'll learn

Explore related topics

Course content

Introduction2 lectures • 8min

RAM Extraction Fundamentals3 lectures • 21min

Hands-On with RAM Tools10 lectures • 21min

Using Inception4 lectures • 14min

Conclusion2 lectures • 4min

Requirements

Description

Who this course is for: