 Welcome back. Today, we're going to be talking about memory acquisition in Windows. So here I have my forensic workstation, but we will pretend this is a suspect workstation and I want to collect memory from the suspect workstation while it's on. Remember, once you shut the system off, most of the data in RAM will be gone very quickly. So we can't really accurately or it's it's not best to shut the system down and then collect memory unless you can do it really quick and you have some specialty equipment usually to do that with. So normally we collect memory from a system, a suspect device whenever it is running and it's on. And to collect memory from this Windows system I'm going to use FTK imager again just because FTK imager is very easy to use, especially for memory acquisition. So I have, let's say that I have this external USB stick that contains all of my forensic tools on it, including FTK imager. I insert my forensic USB device or drive into the suspect system and I have some designated storage place to put to save all of this memory image from the suspect device. I do not want to save the memory image back onto the suspect's computer, especially to the hard drive because that could overwrite some traces. I need to save it basically to an external device. Okay, so now whenever we open up FTK imager inside the suspect system, go to file and capture memory and then you're only presented with a few different options and we see first destination path. So I need to specify the destination path and I'm going to put this, we already had a cases folder created. Imagine that this cases folder is on my external USB drive, right? So it's case 001 and I want to put it inside my images folder and our device 001 was a USB thumb drive from the suspect. So I want to, because I want to capture memory from an actual computer, it's not related to the thumb drive, I'm going to make a new exhibit or new device folder to store my images in. Okay, so I call it just 002 because it's the second device that I'm acquiring data from. And then next is our destination file name. And this is actually relatively quite important that we want to name it something relevant to the system that we're acquiring data from. So in this case, we're acquiring data from a Windows 10 system. And I happen to know that this is a 64 bit system. But if I didn't know, if I didn't know whether it was a 64 bit system, I can right click on the start menu and go to system. Now, clicking this opening this up will slightly change memory. So I want to try to reduce the amount of interactions I have with this computer as much as possible. But this tells me some important things that I need to know. First off, Windows 10 Pro system type 64 bit operating system and it has six gigabytes of memory. Everything else basically that's the kind of information I need. So I need to know Windows 10 Pro 64 bit operating system, six gigabytes of memory. So I'm going to go ahead and close that. So Windows 10 and I'm going to add pro 64 bit or x 64. And then I'll say six GB is the amount of memory that I'm expecting. Okay, so now I can also include the page file and the page file is basically a file on the hard drive that the computer uses to pretend that it has more memory. We in the lecture will go into a little bit more what the page file does. But I can include that page file which could potentially have some very interesting data in it just like data that would be in RAM. But because I know in this case I'm going to collect the hard drive with it and there's no encryption. I can get this page file later. So I'm not going to worry about that right now. And then create an ad one file. I'm also not going to create an ad one file for this. I'm just going to use a raw memory image. Okay, so that's pretty much it for our options for capturing memory using FTK imager. If I click capture memory, now it's going to go, we see that it's dumping RAM and it detected six gigabytes of RAM. So that's exactly what I was expecting. This is the folder. So we're saving it in our in our cases 001 images 002. So our second device and then windows 10 pro x 64 six gigabyte dot mim. Now, if I collected the hard disk image, then I would probably also put it inside 002. And I would say hard disk or something like that. And then the 002 would basically represent this entire computer both the memory and the hard drive that's associated with it 001 was a separate USB stick. Okay, so we're copying memory now and it is relatively fast whenever we copy memory usually if we go into the folder, our images folder, I can now see 002 and we see this memory file and it's copying out right now we have about four gigabytes copied. Okay, now notice one thing I did not do one thing I did not do was make a hash of RAM before I started copying memory. Now if we're dealing with physical disk images, if we're if we're copying a hard drive, the hard drive should not be changing. Right? So once we have the hard drive out of the computer, the hard drive should no longer the data on the hard drive should no longer change. So I can make a hash value of the hard drive before I make an image. And after I make an image, compare those hash values and they should be the same because the hard drive won't change. In this case with memory, memory is constantly changing. So if I made a hash value of memory before I made the image, the hash values would definitely be different, right? So now that the memory capture has finished successfully, click close and then that's pretty much it for fdk imager, I would close that then we have our memory image on our external storage device, not on the suspect system. And I've just already calculated a hash value of a different memory image just to make things a little bit faster here. But I used MD five some and on my Windows 10 64 gigabyte 64 bit six gigabyte image. And I got this hash value now that I have this memory image, the data inside this file should not change. Basically, this data and this hash value should be the hash value that the court receives and they should be able to verify that hash value. But this is really the first time that I can make any hash value of significance from a memory image. So after I calculate, let's just go ahead and do this again. After I calculate after I calculate the hash value of this memory image, this hash value should never change in the course of the entire investigation. So now that I've collected this memory image, I would most likely eject my USB drive or disk and then make a copy of this memory image, probably archive one of the copies in onto a DVD or maybe a backup server or something like that. And then I would only work with my copy because I will never have the opportunity to get another copy of RAM. Right? So even if I mess up this memory image, I will never be able to get the same data in a memory image ever again, right? Because this computer has already changed. So it's very important, especially to work with copies, whenever you're dealing with memory images. And here we go. So now I have this hash value for Windows 10, Windows 10 Pro x 64, 60, six gigabyte. And then I have this MD five hash and this hash value from now on in my case should always remain the same every time I hash a copy of this memory image. So that's pretty much it for copying memory in Windows. I tend to use FTK imager because it works really well. It's quite reliable for doing window memory acquisitions in Windows. It's also very easy to do it. It still gives you the ability to copy, for example, the page file and things like that. In Linux, I tend to use command line tools. But in Windows, so far, I'm quite happy with FTK imager. So that's it for today. Thank you very much.