It deals with collecting data from system memory (system registers, cache, RAM) in raw form and then carving the data from Raw dump.
| Name | Platform | License | Description |
| Volatility | Cross-platform | Open-source | Description: A powerful open-source memory forensics framework for incident response and malware analysis. It is widely used for extracting information from memory dumps of Windows, macOS, and Linux systems. |
| Rekall | Cross-platform | Open-source | Description: Rekall is an advanced memory analysis framework that provides a rich set of features for memory forensics and incident response. It supports various operating systems and is designed for deep memory analysis tasks. |
| Magnet AXIOM | Windows | Commercial | Description: AXIOM is a comprehensive digital forensics platform that includes memory forensics capabilities. It allows investigators to analyze memory artifacts alongside other digital evidence, providing a unified investigation platform. |
| FTK Imager | Windows | Commercial | Description: FTK Imager is a popular digital forensics tool that includes memory analysis capabilities. It allows forensic examiners to acquire and analyze memory dumps, helping in uncovering valuable information during investigations. |
| Autopsy | Cross-platform | Open-source | Description: Autopsy is an open-source digital forensics platform that supports memory analysis in addition to disk forensics. It provides a user-friendly interface and various plugins for in-depth analysis of memory artifacts and other data sources. |
| WinDbg | Windows | Free | Description: WinDbg is a multipurpose debugger for Windows that can also be used for live and kernel mode memory forensics. It provides powerful debugging and analysis capabilities for Windows memory dumps and crash dump files. |
| Cellebrite UFED | Windows | Commercial | Description: Cellebrite UFED is a leading mobile forensics solution that supports memory extraction from a wide range of mobile devices. It allows investigators to acquire and analyze volatile memory to recover valuable data from mobile devices. |
| Belkasoft RAM Capturer | Windows | Free | Description: Belkasoft RAM Capturer is a free tool for capturing the content of the computer’s volatile memory. It is used for memory forensics and supports the analysis of Windows physical memory dumps, hibernation files, and page files. |
| WindowsSCOPE | BlueRISC | Windows | |
| varc | |||
| surge | |||
| winpmem | |||
| Lime | |||
| AVML | |||
| fmem | |||
| FEX memory imager | |||
| Digital collector | |||
| PCILeech |
memory analysis.
- Volcano – A comprehensive, cross-platform, next- generation memory analysis solution, Volexity Volcano Professional’s powerful core extracts, indexes, and correlates artifacts to provide unprecedented visibility into systems’ runtime state and trustworthiness.
- Volatility3 – Volatility is the world’s most widely used framework for extracting digital artifacts from volatile memory (RAM) samples.
- MemProcFS – The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.
- WinDbg – The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes.
- Volatility – The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
- Volafox – macOS Memory Analysis Toolkit’ is developed on Python 2.x (Deprecated)
- Rekall – A new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. (Deprecated)
- Redline – Redline®, FireEye’s premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.
- Memoryze – Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
- dwarf2json – Go utility that processes files containing symbol and type information to generate Volatilty3 Intermediate Symbol File (ISF) JSON output suitable for Linux and macOS analysis.