Shut the laptop lid and the evidence is gone. Permanently.

That’s the reality of volatile memory, and it’s why RAM capture is the one forensic step most civil practitioners skip — and the one that sometimes makes or breaks a case. Unlike a hard drive, RAM holds its contents only as long as power flows. The moment a machine shuts down, hibernates, or the battery dies, everything in memory is gone.

In civil investigations, that “everything” can include encryption keys that unlock otherwise inaccessible drives, session tokens granting access to cloud accounts, artifacts of recently run programs, and evidence of who was logged in at a specific moment.

This guide covers when RAM capture is worth pursuing, which tools hold up under scrutiny, how to handle the admissibility questions you’ll face, and how to document the process in a way that survives a challenge.

What Lives in RAM (and Why You Should Care)

RAM is the working memory of a running computer. It holds the operating system’s active state, every open application, the contents of open documents, and a surprising amount of data the user never deliberately stored there.

From a forensic standpoint, the most valuable RAM artifacts fall into a few categories:

Encryption keys and credentials. Full-disk encryption products like BitLocker and VeraCrypt need the decryption key available while the drive is in use. That key lives in RAM. If you capture memory while the machine is running and the drive is unlocked, tools like Volatility can sometimes extract that key, giving you access to an otherwise encrypted drive. This is the scenario that makes RAM capture non-negotiable in certain cases.

Active network connections. A running system’s memory contains the current state of all network connections — what the machine is talking to, on what ports, and for how long. This matters in cases involving unauthorized access, data exfiltration, or undisclosed remote connections.

Process and application state. Which programs were running at the time of capture? What was open? Memory analysis can reconstruct recently executed processes, including those that have since been deleted from disk. An attacker who runs a tool and then deletes it may still leave traces in memory long after the file is gone.

Browser session data. Open browser tabs, form data, authentication cookies, and session tokens can all survive in RAM after the browser window is closed. In civil matters involving account access or financial transactions, this can be significant.

Clipboard contents. Whatever was last copied — text, images, data — often persists in memory. Examiners have recovered passwords, financial account numbers, and draft communications this way.

When to Capture: The Decision Framework

Not every civil case warrants RAM capture. It introduces complexity, has a higher potential for disruption than disk imaging, and requires faster action than most disk-based acquisitions. But certain scenarios make it worth the extra steps.

Encryption is present. If the target machine uses BitLocker, VeraCrypt, FileVault, or any other full-disk encryption, and you have lawful access to the running machine, RAM capture is your only realistic path to the contents of that drive without the passphrase. This alone justifies the effort in many cases.

Active remote connections are suspected. Cases involving alleged unauthorized network access, IP theft via cloud sync, or suspected remote assistance to a third party benefit from memory capture that shows live connection state.

Anti-forensic tools may be in use. Some applications store sensitive data only in memory, deliberately avoiding disk writes. RAM capture is the only way to catch them.

Time-critical credential access. Web application evidence that exists only in active sessions — a logged-in account, an open cloud storage portal — may be accessible through session tokens in RAM.

The machine is already running and lawfully accessible. This is the practical threshold. RAM capture requires the machine to be on. If it’s already off, you’ve already lost volatile memory. If you have lawful access and it’s running, the question becomes whether the potential value justifies the process.

Tools for RAM Acquisition

FTK Imager

FTK Imager from Exterro remains one of the most widely accepted tools for RAM acquisition in both civil and criminal contexts. Its memory capture function is straightforward: select “Capture Memory” from the File menu, specify an output location, and the tool dumps a raw memory image.

FTK Imager is particularly strong in court acceptance because of its long track record and widespread use among law enforcement and private examiners. EnCE holders will already be familiar with the Exterro ecosystem.

One note: FTK Imager’s RAM capture does write a small executable to disk to facilitate the capture. Document this in your notes. Any tool that captures RAM must, by definition, run on the target system and therefore alter it to some degree. That’s not a failure — it’s physics — but you must document what changed.

Magnet RAM Capture

Magnet RAM Capture is a free tool from Magnet Forensics that handles volatile memory acquisition with a small footprint. It outputs to raw (.mem or .raw) format compatible with Volatility and most analysis platforms.

Magnet RAM Capture is particularly useful when you want to minimize the tool’s footprint on the target system. Run it from a USB drive to avoid writing anything to the local machine other than the output image (and even then, output to external media whenever possible).

WinPmem

WinPmem is an open-source memory acquisition tool from the Rekall project. It captures RAM to a file and supports multiple output formats. Its open-source nature means the acquisition methodology can be fully audited — which can be an advantage when opposing counsel challenges your tools.

The tradeoff: WinPmem requires more technical comfort to operate, and its open-source status can occasionally prompt questions from non-technical attorneys or judges who equate “free” with “less credible.” Be prepared to explain what open-source means and why it supports rather than undermines reliability.

Live Linux Distributions

For Linux targets, tools like LiME (Linux Memory Extractor) provide kernel-level memory acquisition as a loadable module. LiME is particularly noteworthy because it minimizes the impact on the running system by loading as a kernel module rather than a user-space application.

The Write-to-Disk Problem and How to Handle It

Every examiner who captures RAM faces the same challenge: the acquisition tool must run on the target machine, which means it modifies the machine to some degree. Purists will note this as a deviation from the forensic principle of non-alteration.

Handle this the right way:

  1. Document before capture. Note the system state before you begin: what’s running, what’s visible on screen, current time. Photograph the screen if possible.
  1. Use an external drive for output. Direct the memory image to a USB drive or network share, not to the local machine’s disk. This minimizes what you write to the target system.
  1. Record what the tool writes. FTK Imager and similar tools typically document their own disk footprint. Note this in your acquisition log.
  1. Acknowledge it in your report. Don’t hide that RAM capture involves running a process on the target. Explain it plainly: “All memory acquisition tools require execution on the target system, which creates a minimal footprint. The following steps were taken to minimize and document this impact.” Courts understand necessity when it’s explained honestly.

The alternative — refusing to capture RAM to maintain theoretical purity — isn’t better. If the evidence is in RAM and you have legal access to get it, failing to capture it because the process is imperfect is a disservice to your client.

Analyzing What You Captured

Raw memory images aren’t human-readable. You’ll need analysis tools to make sense of them.

Volatility is the standard. This open-source framework analyzes raw memory images and supports dozens of plugins for specific artifact types: `pslist` and `pstree` for running processes, `netscan` for active connections, `hashdump` for cached credentials, `cmdline` for command-line arguments of running processes, and many more.

Start with `imageinfo` to identify the operating system profile, then work through the plugins relevant to your investigation questions. Document which plugins you ran, what they returned, and how you interpreted the results.

Rekall is an alternative with similar capabilities and is worth knowing, though Volatility has broader plugin support for modern Windows versions.

For encryption key extraction, Bitlocker-Key-Extractor and similar targeted tools can parse memory images for AES key candidates. This is specialized work — know the tool and its limitations before presenting findings in court.

Admissibility Considerations

RAM capture evidence in civil proceedings faces predictable challenges. Knowing them ahead of time lets you address them in your report rather than under cross-examination.

Chain of custody. Hash the memory image immediately after capture using SHA-256. Document who performed the capture, when, on what system, and using what tool version. This is the same chain-of-custody process you’d follow for any digital evidence — volatile memory is no different.

Contemporaneous documentation. Time-stamp your acquisition notes. If you’re working under a preservation order, make sure your capture timing falls within the ordered preservation window and document that clearly.

The “contamination” argument. Opposing counsel may argue that running acquisition software contaminated the evidence. Your response: document exactly what changed, explain that no tool can capture memory without running on the system, and note that your documentation allows the effect to be evaluated. Courts have accepted this reasoning consistently when the examiner has documented the process properly.

Expert qualification. Memory forensics is specialized. If you’re testifying about memory analysis, expect voir dire on your specific experience with memory capture and analysis tools, not just general digital forensics. CFCE holders should document their memory forensics-specific work experience separately from general disk forensics.

For cases where RAM evidence connects to broader device analysis, the [corporate espionage case study on logical acquisition](/corporate-espionage-logical-acquisition/) demonstrates how volatile memory fits into a complete forensic timeline.

Practical Acquisition Checklist

Before you touch the machine:

During acquisition:

After acquisition:

Frequently Asked Questions

Can RAM capture be done remotely, or does it require physical access?

Remote memory acquisition is technically possible in specific circumstances — primarily when you have administrative access to a running machine via legitimate remote management tools. Tools like F-Response facilitate remote memory acquisition over a network. However, remote acquisition introduces additional complexity: you must document the network path, authenticate the connection, and account for any network-level artifacts. In most civil investigations, physical access provides a cleaner acquisition with less challenge surface. If remote acquisition is necessary, get explicit legal authorization covering remote access specifically.

What happens if the machine hibernates or sleeps during capture?

A proper hibernation writes the contents of RAM to a hibernation file (`hiberfil.sys` on Windows) on disk. If you missed the RAM capture window, examining the hibernation file can sometimes recover memory contents from the most recent sleep event. This isn’t a perfect substitute — hibernation files capture a point-in-time snapshot and may not contain everything you’d get from a live capture — but they’re worth examining when live capture wasn’t possible. Tools like Volatility can analyze hibernation files with appropriate plugins.

How much storage space does a RAM image require?

The image size equals the installed RAM in the machine. A system with 16GB of RAM produces a roughly 16GB image file. A 32GB system produces a 32GB image. Plan your external media accordingly, and ensure you have room for both the image and working space for analysis. For large-RAM systems (128GB servers), capture logistics require advance planning.

Does RAM capture capture the contents of encrypted drives?

Possibly — and this is one of the primary reasons to pursue RAM capture. If a machine uses full-disk encryption (BitLocker, VeraCrypt, FileVault) and the drive is currently unlocked and mounted, the decryption key may be present in RAM. Analysis with tools like Volatility’s `bitlocker` plugin or specialized key-finding scripts can sometimes recover these keys. Success depends on the specific encryption product, OS version, and how long the machine has been running. Document your methodology carefully, because key extraction from memory is an area where opposing experts will probe your analysis.

What’s the legal threshold for RAM capture in a civil matter?

RAM capture follows the same legal framework as other forms of digital acquisition in civil litigation. You need one of: a court-ordered preservation order that specifically covers volatile data, written consent from the data owner, or — in employment matters — a company policy that explicitly covers volatile memory on company-owned devices. “I had access to the machine” is not sufficient authorization on its own. Before you capture RAM, have your legal authority documented in writing, and make sure that authority covers active acquisition (not just preservation of existing data). When in doubt, consult with counsel before proceeding.