IR AnalystSwitch roles in the top navigation to see different perspectives.

Capture a full RAM dump from compromised systems before any reboot or shutdown. Volatile memory contains running processes, network connections, loaded DLLs, encryption keys, and injected code that is lost on power-off.

Actions

  1. 1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
  2. 2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
  3. 3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.
  4. 4.Hash the memory dump immediately after capture for chain of custody: `certutil -hashfile memdump.raw SHA256` (Windows) or `sha256sum mem.lime` (Linux). Record the hash in the evidence log.
  5. 5.Capture supplementary volatile data before/after memory dump: `netstat -anob > netstat.txt`, `tasklist /v > tasklist.txt`, `wmic process get processid,parentprocessid,commandline > procs.txt` (Windows) or `ps auxf > ps.txt && ss -tlnp > ss.txt` (Linux).

Queries

DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ramcapture","avml","lime") | project Timestamp, FileName, ProcessCommandLine, AccountName
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe") -- Velociraptor/osquery live query on target host

Notes

  • NEVER mount or analyze the memory dump on the compromised system itself. Transfer the dump to a clean forensic workstation for analysis with Volatility 3 or Rekall.
  • Time is critical -- every minute the system runs, volatile evidence degrades. Memory capture should take priority over disk imaging if you must choose.

Common Blockers

BitLocker/Encrypted Drives Preventing Forensic Imaging

Full-disk encryption (BitLocker, FileVault, LUKS) prevents mounting or imaging the drive without the recovery key. Without decryption you cannot access the filesystem for artifact collection.

Compromised Systems Powered Off or Disconnected

Key systems have been powered off by users, IT, or as part of a premature containment action. Volatile data (running processes, network connections, memory-resident malware) is lost. Remote collection tools cannot reach the host.

Systems Encrypted by Ransomware -- Normal Artifact Collection Blocked

Ransomware has encrypted the filesystem on affected hosts. Standard artifact collection tools cannot read files, registry hives, or event logs from the encrypted volume. The operating system may not boot.

Systems Already Rebooted -- Volatile Data Lost

The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.