PreservationP1~60 min

Volatile Memory Capture

Capture a full RAM dump from compromised systems before any reboot or shutdown. Volatile memory contains running processes, network connections, loaded DLLs, encryption keys, and injected code that is lost on power-off.

Actions

  1. 1

    Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.

  2. 2

    Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.

  3. 3

    Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.

  4. 4

    Hash the memory dump immediately after capture for chain of custody: `certutil -hashfile memdump.raw SHA256` (Windows) or `sha256sum mem.lime` (Linux). Record the hash in the evidence log.

  5. 5

    Capture supplementary volatile data before/after memory dump: `netstat -anob > netstat.txt`, `tasklist /v > tasklist.txt`, `wmic process get processid,parentprocessid,commandline > procs.txt` (Windows) or `ps auxf > ps.txt && ss -tlnp > ss.txt` (Linux).

Queries

DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ramcapture","avml","lime") | project Timestamp, FileName, ProcessCommandLine, AccountName
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe") -- Velociraptor/osquery live query on target host
index=sysmon host=TARGET_HOST EventCode=1 (Image="*\\winpmem*" OR Image="*\\ramcapture*" OR Image="*\\avml*" OR CommandLine="*lime*") earliest=-1h | table _time, Computer, User, Image, CommandLine, ParentImage

Notes

NEVER mount or analyze the memory dump on the compromised system itself. Transfer the dump to a clean forensic workstation for analysis with Volatility 3 or Rekall.

Time is critical -- every minute the system runs, volatile evidence degrades. Memory capture should take priority over disk imaging if you must choose.

Where to Go Next

Memory captured successfully, ready for containment

Proceed with network isolation

Memory captured, need to preserve disk evidence

Preserve logs and disk artifacts

Memory analysis reveals lateral movement indicators

Analyze lateral movement patterns

Related Resources

Artifacts

3
Full Memory Dump/proc Filesystem (Live Process Data)Active Network Connections & Listening Ports

Common Blockers

4
BitLocker/Encrypted Drives Preventing Forensic ImagingCompromised Systems Powered Off or DisconnectedSystems Encrypted by Ransomware -- Normal Artifact Collection BlockedSystems Already Rebooted -- Volatile Data Lost

Suggested Acquisition

4
FTK Imager Full Disk ImageEnCase Forensic Full Disk Imagedd / dc3dd Raw Disk ImageGuymager Full Disk Image