Volatile data is information that changes frequently and is often lost upon powering down the computer. The acquisition of this type of information should be made with the equipment powered on, which is known as live acquisition.
Volatile data will include information about the running process, network connections, clipboard contents, and data in memory. This information may be critical to the discovery of the cause of an incident or to understand a specific behavior.
As seen in previous chapters, the FTK imager can help in the collection of this data, specifically memory acquisition. Once collected, you can do a deeper analysis using the platform FTK.
To start the memory analysis, firstly add the file of dump in your case as follows:
Click on Evidence and select Import Memory Dump.
Once added, select the Volatile tab to see all the extracted data of the evidence.
The information is presented in a classified and categorized form using a friendly FTK interface...