> For the complete documentation index, see [llms.txt](https://root-acch.gitbook.io/hedgenotes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://root-acch.gitbook.io/hedgenotes/digital-forensics-and-incident-response/memory-dump-analysis.md).

# Memory Dump Analysis

## Memory Aquisition

### Windows

#### FTK Imager

Visit <https://www.exterro.com/ftk-product-downloads/ftk-imager-4-7-3-81> to download the latest FTK Imager version

To acquire memory with **FTK Imager**, go to *File > "Capture Memory..."*. Once clicked on the option, a pop up will appear, where you can set the destination where the memory dump will be saved and the file name.

<figure><img src="/files/D6e4NPoAzLFBDKLmghm1" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/yyg0tLNtaRqkPSiLc3Km" alt=""><figcaption></figcaption></figure>

#### WinPmem

**WinPmem** has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository. It has support for *Win7 - Win 10, x86 + x64*. The WDK7600 might be used to include WinXP support.

Download the latest and stable WinPmem version at the GitHub releases page (<https://github.com/Velocidex/WinPmem>).

Once downloaded, run the following command on the terminal to acquire memory from the target system.

```powershell
.\winpmem.exe acquire memdump.raw
```

### Linux

#### AVML

**AVML** is an X86\_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary. AVML can be used to acquire memory without knowing the target OS distribution or kernel a priori. No on-target compilation or fingerprinting is needed.

Download the latest AVML release on their GitHub (<https://github.com/microsoft/avml>).&#x20;

After downloading the binary, run the following command to collect the memory from the target system

```bash
avml output.lime
```

## Memory Analysis

### Volatility

**Volatility** is an open source memory forensics tool that allows the analysis of a system's runtime state using data found in volatile storage (RAM) dumps from Windows, Linux, macOS and other systems.

{% content-ref url="/pages/qCygYQEeLeFexJ8O8YLe" %}
[Volatility Cheat Sheet](/hedgenotes/digital-forensics-and-incident-response/memory-dump-analysis/volatility-cheat-sheet.md)
{% endcontent-ref %}

## Resources

* <https://github.com/microsoft/avml?tab=readme-ov-file#summary>
* <https://github.com/Velocidex/WinPmem?tab=readme-ov-file#winpmem----a-physical-memory-acquisition-tool>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://root-acch.gitbook.io/hedgenotes/digital-forensics-and-incident-response/memory-dump-analysis.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.