Capture RAM Using Oxygen Forensic® KeyScout

by

RAM (Random Access Memory) is used to temporarily store working data or code on an active computer. RAM is a snapshot of a live running system and can be captured before the system is shut down. While capturing RAM, investigators and incident responders must bear in mind that it will lead to a change in the state of the system. These changes can include:

  • Overwrite of memory for application processing.
  • KeyScout will appear in Most Recently used.

RAM analysis will give investigators and incident responders great insight into the running system processes, including processes used by malware. Overall, the contents of RAM may include the following artifacts:

  • Evidence of malware intrusion
  • Loaded DLLs
  • Loaded device drivers
  • Open registry keys
  • Command history
  • Network connections
  • Passwords to encrypted volumes and app accounts
  • Encryption keys
  • Decrypted files and keys
  • IP addresses
  • Chats, emails and internet history

To capture RAM with Oxygen Forensic® Detective, investigators will need to use the built-in Oxygen Forensic® KeyScout utility. It has the smallest possible footprint and requires no installation.

It’s important to note that maintaining a small footprint without installation helps obtain the most amount of RAM for analysis of the Windows 10 environment. This means investigators will now have access to the full scope of data with Oxygen Forensic® KeyScout.

How it’s done:

Locate Oxygen Forensic® KeyScout on the Home screen of Oxygen forensic® Detective and copy it to a USB drive.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.

Unsubscribe any time. We respect your privacy - read our privacy policy.


Start Oxygen Forensic® KeyScout on a subject’s computer.

RAM dump can only be created with elevated privileges, such as Admin rights, so before proceeding, the investigator must press the Elevate button on the KeyScout Home screen.

Once you are made Admin, press the “Capture RAM” button to start capturing data.  It should be noted, the medium that will hold the data must be of sufficient size.

The utility will then prompt a screen to select the folder in which the dump will be saved.

Once a folder is chosen, RAM capture will start and the progress will be shown in the Memory tab.

The memory (RAM) dump will be created in Raw format that can later be examined by available open-source tools, like Volatility. RAM analysis will be added in a later version of Oxygen Forensic® Detective.

For more information regarding additional capabilities of Oxygen Forensic® KeyScout, read our digital brochure.

Leave a Comment

Latest Videos

Forensic Focus

Forensic Focus
Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-june-12-2024/

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-june-12-2024/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_Y0l5zX5r21s

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:51 pm

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-june-12-2024/

Read more at https://www.forensicfocus.com/news/digital-forensics-round-up-june-12-2024/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_75IyoRoydjM

Digital Forensics News Round-Up, June 12 2024 #dfir #digitalforensics

Forensic Focus 12th June 2024 5:39 pm

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources. The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster. Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by: - Eliminating the need for large upfront costs and maintenance expenses - Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance - Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations - Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud - Close investigations and review discovery faster with cloud-based innovation - Manage customer requests and provide transparency throughout your organization across the globe Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

Internal investigations and eDiscovery face rising challenges in the data collection landscape. There is an urgent need to preserve and analyze data; rising costs for server infrastructure and overhead and the increasing complexity and volume of data from emerging sources is overwhelming. Laptops, computers, phones, tablets, cloud sources, and messaging applications – data is stored anywhere and everywhere with employee communications being the riskiest data sources.

The scope and specific challenges of data collection affect organizations and law firms differently, presenting a need for a variety of solutions to best fit their needs. With Cellebrite’s suite of SaaS (Software-as-a-Service) cloud-based collection solutions, corporate investigators and eDiscovery practitioners can close investigations and get to review faster.

Cellebrite's market-leading SaaS based solutions minimize business disruption and save organizations money by:

- Eliminating the need for large upfront costs and maintenance expenses
- Minimizing overhead costs without hosting the solution, no hardware shipping, and no technical calls for assistance
- Minimal and predictable data collection costs, allowing you to scale your usage according to your specific needs and budgetary considerations
- Stay up to date with continuous updates to data sources with updates pushed to the Cellebrite cloud
- Close investigations and review discovery faster with cloud-based innovation
- Manage customer requests and provide transparency throughout your organization across the globe

Watch Cellebrite's webinar where Monica Harris, Product Business Manager, showcases how Cellebrite’s range of SaaS-based solutions have you covered whether you need remote collection across all devices, including computers, cloud sources, chat applications, and mobile devices or full-file system advanced collection capabilities across the widest range of mobile devices and applications.

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_SE7Cl5jkigk

Maximising Data Collection With SaaS Innovations

Forensic Focus 10th June 2024 12:42 pm

Load More... Subscribe
This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feeds settings page to add an API key after following these instructions.

Latest Articles

Semantics 21: Advancing AI For Victim Identification
News

Semantics 21: Advancing AI For Victim Identification

BySemantics21Jun 13, 2024
Detego Global Announces Strategic Partnership With Connection To Deliver Cutting-Edge DFIR Solutions
News

Detego Global Announces Strategic Partnership With Connection To Deliver Cutting-Edge DFIR Solutions

ByDetego Digital ForensicsJun 13, 2024
Challenges Of DFIR In Distroless And Other Container Environments
News

Challenges Of DFIR In Distroless And Other Container Environments

ByCado SecurityJun 13, 2024
Digital Forensics Round-Up, June 12 2024
News

Digital Forensics Round-Up, June 12 2024

ByForensic FocusJun 12, 2024
Forensics Europe Expo (FEE) 2024
News

Forensics Europe Expo (FEE) 2024

ByForensic FocusJun 11, 2024
Maximising Data Collection With SaaS Innovations
Webinars

Maximising Data Collection With SaaS Innovations

ByCellebriteJun 10, 2024