Preparing for Windows memory acquisition
Before we start to work with the imaging tools, we need to prepare a couple of things. Firstly, you need to find a flash drive that you will use to store both the tool itself and the created memory dump, so make sure it has enough space. Secondly, you need to sanitize it. This means that you need to forensically wipe the drive.
Important note
During the standard deletion process, metadata related to the deleted files is changed and the space where these files are located is marked as available for reuse. In other words, after deletion, the content of the files will reside on the drive and can be recovered. The formatting process is quite similar. A few certain master files are rewritten, but information can still be obtained from the drive. Thus, to delete files securely, you need to overwrite the content with zeros or random data.
To wipe drives, different tools and methods can be used, depending on the type of removable media. We...
