How to capture RAM with Forensic Tool Kit, Strings, and Photorec

Let’s Start with FTK Imager

Step 1: Go to access data’s website and download FTK imager light. Install FTK imager light on a thumb drive if you like for portability, usually, you will need about 16gb or bigger depending on the size of the ram capture (For example: If your computer has 4gb of ram you will need an 8gb thumb drive).

(Click on the last option)

Step 2: Once you have downloaded FTK imager you are going to open it up and click on the little RAM icon. The options you need to select are the memdump.mem and pagefile.sys file.

FTK ImagerFTK Imager memory capture

Step 3: Once you have selected your destination path to save the files, capture the memory. (Note: if you’re actually doing an investigation save it to a thumb drive)

Step 4:  Once you’re done with this you have successfully captured forensic evidence; from here you want to transport those files to a Linux machine/or Virtual Machine with Kali OS or Parrot OS because it’s generally easier to not have to install any software. Additionally, if you’re on Ubuntu, Mint or any other distro just run the commands: “sudo apt-get install binutils” and “sudo apt-get install testdisk”. However, if you’re not familiar with Linux you can install these programs with the links below in Windows.

https://docs.microsoft.com/en-us/sysinternals/downloads/strings

https://www.cgsecurity.org/wiki/PhotoRec

Step 5:  Calculate the MD5SUM or SHA1SUM to verify the integrity of your evidence.

Next Up – The Strings Command

Step 6:  Now you can use the strings command “strings memdump.mem > memdump.strings” this command takes all the readable human ASCII characters from the file and outputs it to a text file. The process is the same for the pagefile.sys file and the command would be “strings pagefile.sys > pagefile.strings”.

Strings Command

Step 7: Now you can look at the evidence with your favorite text editor; I used vim, the command would be “vim memdump.strings”. In addition, a quick tip in vim press “/” to search. (In this instance I was looking for the keyword bomb and found evidence to a search). Do this for both files (One you’re done, we can move onto photorec).

Using Photorec

Step 8: Next, use the photorec command “photorec memdump.mem” (You will do this for both files, the process is the same).

Step 9: Navigating Photrec’s interface to get evidence.

Step 9.1: Press Enter

Step 9.2: Select File options (To unselect all options press “s” and once your done press “b” to save your settings). The file options that I selected included: text, jpeg, png, gifs, and docx files (Just choose wisely depending on what you’re looking for). Now press b to save and then q to quit.

Step 9.3: Now you can search! Just press enter.

 

 

 

 

 

<— Your evidence should come in folders like this.

 

 

 

 

Inside the folders are files that contain evidence.

Here’s an example of the evidence recovered (this is the suspects motive); you may actually recover images in case you do you can always do a reverse search with https://www.tineye.com/

Step 10: You are now complete with capturing forensic evidence; just remember to do the same for the pagefile.sys in photorec. Also, please comment down below to let me know what you think or if you have any questions!

1 comment
  1. This is the perfect website for everyone who hopes to understand this topic.

    You know so much its almost tough to argue
    with you (not that I really would want to…HaHa).
    You certainly put a fresh spin on a subject that has been discussed for many years.
    Great stuff, just great!

Leave a Reply
Next Post
nmap commands

Port Scanning using Nmap Commands

Skip to content
Share via
Copy link
Powered by Social Snap
Close Bitnami banner
Bitnami