IR AnalystSwitch roles in the top navigation to see different perspectives.

Capture a full RAM dump from compromised systems before any reboot or shutdown. Volatile memory contains running processes, network connections, loaded DLLs, encryption keys, and injected code that is lost on power-off.

Actions

  1. 1.Windows -- Use WinPmem from a trusted USB or network share: `winpmem_mini_x64.exe --output F:\case\%COMPUTERNAME%_memdump.raw --format raw`. Verify the output file size matches expected RAM.
  2. 2.Windows alternative -- Use Magnet RAM Capture or Belkasoft Live RAM Capturer if WinPmem fails. For remote collection via Velociraptor: deploy `Windows.Memory.Acquisition` artifact.
  3. 3.Linux -- Use AVML (Acquire Volatile Memory for Linux): `./avml --compress output.lime.gz`. Alternative: `sudo insmod lime.ko "path=/case/mem.lime format=lime"`. Verify module unloads cleanly after capture.
  4. 4.Hash the memory dump immediately after capture for chain of custody: `certutil -hashfile memdump.raw SHA256` (Windows) or `sha256sum mem.lime` (Linux). Record the hash in the evidence log.
  5. 5.Capture supplementary volatile data before/after memory dump: `netstat -anob > netstat.txt`, `tasklist /v > tasklist.txt`, `wmic process get processid,parentprocessid,commandline > procs.txt` (Windows) or `ps auxf > ps.txt && ss -tlnp > ss.txt` (Linux).

Queries

DeviceProcessEvents | where DeviceName == "TARGET_HOST" | where Timestamp > ago(1h) | where FileName in~ ("winpmem","ramcapture","avml","lime") | project Timestamp, FileName, ProcessCommandLine, AccountName
SELECT pid, name, ppid, cmdline, create_time FROM processes WHERE on_disk = 0 OR name IN ("powershell.exe","cmd.exe","rundll32.exe","regsvr32.exe") -- Velociraptor/osquery live query on target host

Notes

  • NEVER mount or analyze the memory dump on the compromised system itself. Transfer the dump to a clean forensic workstation for analysis with Volatility 3 or Rekall.
  • Time is critical -- every minute the system runs, volatile evidence degrades. Memory capture should take priority over disk imaging if you must choose.

Common Blockers