Memory forensics is a really interesting field, especially when you’re dealing with systems that are actively running. Capturing volatile memory, or RAM, can give you a snapshot of what’s happening right now. This is super useful for figuring out security incidents or understanding system behavior. But, it’s not always straightforward. There are a bunch of different ways to grab this data, and each has its own pros and cons. We’ll look at some of the main volatile memory capture techniques and what you need to know to do it right.
Key Takeaways
- Grabbing volatile memory provides a real-time look at a system, which is key for incident response and analysis.
- Different methods exist for capturing volatile memory, from live dumps to more complex techniques, each with its own challenges.
- Maintaining data integrity and the chain of custody is super important when collecting memory images.
- Tools range from free, open-source options to professional suites, and even specialized hardware.
- Understanding the limitations and potential impacts on the live system is vital during the capture process.
Understanding Volatile Memory Capture Techniques
Capturing volatile memory, often called RAM, is a really important step in digital forensics. Think of it like taking a snapshot of a computer’s active brain right at a specific moment. This memory holds a ton of temporary data that can disappear the second a system loses power. This includes things like running processes, network connections, passwords that were typed in, and even fragments of documents that were being worked on. Without capturing this data quickly, it’s gone forever, making investigations much harder.
There are definitely some tricky parts to getting this data. For starters, the data is, well, volatile. It’s constantly changing, and the act of trying to grab it can sometimes change it even more. You also have to worry about the system itself. If you’re not careful, your capture process could crash the system, altering the very evidence you’re trying to collect. Plus, there are legal and ethical lines to consider, especially when dealing with sensitive information.
So, what are the main ways people go about this? Here are a few key techniques:
- Live System Memory Dumps: This is probably the most common method. You use specialized software on the running system to copy the contents of RAM to a file on a separate storage device. It’s fast, but there’s always a risk of altering the memory state.
- Cold Boot Attacks and Acquisition: This is a bit more advanced. It involves physically removing the RAM modules from a powered-off computer and quickly transferring them to a specialized reader. The idea is that RAM retains its data for a short period even after power loss, but you have to be super quick.
- Network-Based Memory Acquisition: Instead of running software directly on the target machine, you can use network tools to pull memory data over the network. This is useful for systems you can’t physically access or when you want to minimize interaction with the target machine itself. It’s a good way to avoid direct system perturbation.
Each of these methods has its own pros and cons, and the best choice often depends on the specific situation, the type of system, and the resources available. Getting this data right is the first big hurdle in any memory forensics investigation. Understanding the attack lifecycle, from reconnaissance to exfiltration, is key to knowing what kind of data might be present in memory. Understanding the attack lifecycle
The goal is always to get the most complete and accurate copy of the volatile memory possible, while causing the least amount of disturbance to the system being investigated. This balance is tricky to strike.
Core Principles of Memory Forensics
When we’re looking at memory dumps, it’s not just about grabbing the data and hoping for the best. There are some pretty important ideas we need to keep in mind to make sure what we find is actually useful and holds up. Think of it like collecting evidence at a crime scene – you can’t just go in and start moving things around. It needs to be done carefully.
Data Integrity and Chain of Custody
This is a big one. We need to be absolutely sure that the memory image we capture hasn’t been messed with, either accidentally or on purpose. If the data changes even a little bit after we grab it, it might not be usable, especially if it needs to go to court. That’s where the chain of custody comes in. It’s basically a detailed record of who handled the evidence, when they handled it, and what they did with it, from the moment it was collected until it’s presented. This keeps a clear trail so everyone knows the data is legit.
- Document every step: Record the exact time of capture, the tools used, and the environment.
- Use hashing: Calculate cryptographic hashes (like SHA-256) of the memory image before and after any analysis. If the hashes don’t match, something changed.
- Secure storage: Keep the original memory image in a safe place, and work on copies whenever possible.
Maintaining the integrity of digital evidence is paramount. Any alteration, however minor, can cast doubt on the findings and potentially render them inadmissible in legal proceedings. A meticulous approach to handling and documenting each step is non-negotiable.
Minimizing System Perturbation
When you’re capturing memory from a live system, the act of capturing itself can change things. Running tools, accessing files, or even just the operating system reacting to the capture process can alter the very memory you’re trying to examine. The goal is to be as quiet as possible. We want to get a snapshot of the system’s state before our tools start making a fuss. This is especially tricky with systems that are actively in use or under heavy load. Sometimes, the best way to avoid changing things is to capture memory from a powered-off state, but that’s not always an option, especially during an active incident. For live captures, using specialized tools designed to minimize their footprint is key. It’s a bit like trying to take a picture of a shy animal – you don’t want to scare it away before you get the shot.
Legal and Ethical Considerations
Before you even think about touching a system to capture its memory, you need to know the rules. Are you authorized to do this? Do you have the proper legal permissions, like a warrant or consent? Capturing memory without the right authority can lead to serious legal trouble. Plus, memory often contains sensitive personal information. You have to handle that data responsibly and ethically, respecting privacy laws and company policies. It’s not just about the technical steps; it’s about doing things the right way, legally and morally. Understanding how attackers operate can help inform what data is most critical to capture, but it doesn’t override the need for proper authorization.
Methods for Acquiring Volatile Memory
Getting a snapshot of volatile memory, or RAM, is a tricky business. It’s like trying to catch lightning in a bottle – it changes constantly and disappears when the power is cut. Because of this, how you grab that memory data really matters. There are a few main ways to go about it, each with its own set of pros and cons.
Live System Memory Dumps
This is probably the most common method. You’re essentially taking a snapshot of the system’s RAM while it’s still running. Think of it like taking a picture of a busy street – you capture everything happening at that exact moment. The goal here is to get as much of that live data as possible before it changes or vanishes.
- Tools: Specialized software, often run directly on the system or remotely, is used to read the memory contents. Examples include tools like
dumpitorwinpmemfor Windows, andddorLiMEfor Linux. - Process: The tool reads the physical memory addresses and writes them to a file, usually on a separate storage device to avoid altering the memory being captured.
- Challenges: The biggest hurdle is minimizing disruption. Running a memory dump tool can use system resources, potentially altering the very state you’re trying to capture. It’s a delicate balance.
Capturing live memory requires careful planning to ensure the acquisition process itself doesn’t inadvertently change the evidence. The less the system is perturbed, the more reliable the captured data will be.
Cold Boot Attacks and Acquisition
This method is a bit more aggressive and involves physically accessing the machine. When a computer is powered off normally, its RAM contents decay over time. However, if you can cool the RAM chips (often with compressed air turned upside down) and then quickly reboot the system into a controlled environment, you can sometimes recover residual data that would otherwise be lost. It’s a bit of a hacky, but sometimes necessary, technique.
- Environment: Requires physical access to the machine and often specialized hardware or bootable media.
- Cooling: Dramatically lowering the temperature of the RAM chips slows down data decay, extending the window for data recovery.
- Speed: The entire process, from cooling to rebooting and dumping memory, needs to happen very quickly.
Network-Based Memory Acquisition
Sometimes, you can’t or shouldn’t touch the machine directly. Network-based acquisition allows you to pull memory data over the network. This is useful for systems that are critical, remote, or where direct access might trigger security alerts or alter the state.
- Remote Agent: A small piece of software might be deployed on the target system to initiate the memory dump and send it over the network.
- Network Traffic: The memory image is transmitted across the network, requiring sufficient bandwidth and a secure connection.
- Advantages: This method can be less intrusive to the target system compared to running tools locally. It’s also practical for systems that are difficult to access physically.
Tools and Technologies for Memory Capture
Open-Source Memory Acquisition Tools
When you need to grab a snapshot of volatile memory, there are some solid free options out there. These tools are often the first port of call for many digital forensics folks because they’re accessible and can be quite powerful. Think of tools like LiME (Linux Memory Extractor), which is designed to work directly on Linux systems, or DumpIt, a simple Windows executable that can create a memory image with just a click. Another popular choice is Volatility Framework, which, while primarily known for analysis, also includes modules for memory acquisition. These tools are great because they give you a lot of control and don’t cost anything, which is always a plus. The key is to choose a tool that’s compatible with your target operating system and hardware.
Commercial Forensics Suites
If you’re looking for a more integrated solution, commercial forensics suites offer a comprehensive package. These platforms often bundle memory acquisition capabilities with a wide array of analysis tools, reporting features, and support. Think of names like EnCase Forensic or FTK (Forensic Toolkit). They aim to streamline the entire digital forensics process, from evidence collection to final report generation. While they come with a price tag, they often provide advanced features, dedicated support, and a polished user experience that can save a lot of time and effort, especially in complex investigations. They can handle a variety of scenarios, from simple memory dumps to more intricate data recovery tasks.
Hardware-Based Acquisition Devices
For situations where software-based acquisition might be too risky or simply not feasible, hardware acquisition devices come into play. These specialized devices connect directly to a system, often at a low level, to capture memory. They are designed to minimize the impact on the live system, which is super important when you’re trying to preserve evidence. Devices like the Tableau TX1 Forensic Imager or specialized PCIe capture cards can be used. They bypass the operating system entirely, which can be a lifesaver if the OS is compromised or unstable. This method is generally considered more robust for high-stakes investigations where system perturbation must be absolutely minimal. It’s a bit like using a scalpel instead of a butter knife for delicate surgery.
Advanced Volatile Memory Capture Scenarios
Capturing volatile memory isn’t always straightforward. Sometimes, the systems we need to investigate are a bit… unusual. We’re talking about environments that don’t behave like your typical desktop or server. Let’s look at a few of these trickier situations.
Capturing Memory from Virtual Machines
Virtual machines (VMs) are everywhere these days, and they present their own set of challenges when it comes to memory forensics. Because a VM is essentially a set of files on a host system, you can’t just plug in a USB drive or run a tool directly on the VM’s "memory" in the same way you would a physical machine. You’re often dealing with the host’s resources.
Here’s the general idea:
- Accessing the VM’s memory state: This usually involves interacting with the hypervisor software (like VMware, VirtualBox, or Hyper-V). The hypervisor manages the VM’s resources, including its RAM. You’ll need to tell the hypervisor to pause the VM and then dump its memory.
- Host-based acquisition: The most common method is to perform the memory dump from the host operating system. You’d use tools that can access the VM’s memory file or snapshot.
- Guest-based acquisition: Less common, but sometimes possible, is running a memory acquisition tool inside the VM itself. This can be tricky because the act of running the tool might alter the very memory you’re trying to capture, and you need to get that dump file out of the VM before it’s shut down or altered.
- Considerations: You have to be careful not to accidentally shut down or restart the VM when you’re trying to capture its memory, as that would wipe the RAM clean. Also, the VM’s memory might be stored in a file on disk, which adds another layer to consider.
Capturing VM memory often means working with the hypervisor, not directly with the VM’s RAM as if it were a standalone computer. The goal is to get a snapshot of that RAM before the VM is powered off or significantly changed.
Acquiring Memory from Embedded Systems
Embedded systems are a whole different ballgame. Think about the computers inside cars, industrial control systems, smart appliances, or even specialized network devices. These systems often run custom operating systems, have limited resources, and might not even have a standard keyboard or monitor attached.
- Limited access: Many embedded devices are designed to be "set and forget." They might not have easy ways to connect external tools or run diagnostic software.
- Hardware interfaces: Sometimes, you need to access specific hardware interfaces, like JTAG or serial ports, to get control of the device and dump its memory. This often requires specialized hardware and knowledge.
- Power considerations: You might need to power the device in a specific way, or even capture memory while it’s booting up, which is a very sensitive time.
- Custom tools: Standard memory acquisition tools might not work. You may need to develop or adapt tools specifically for the architecture and operating system of the embedded device.
- Physical access: Often, getting memory from these systems requires physical access to the device itself, which can be a hurdle if the device is in a remote or secure location.
Mobile Device Memory Acquisition
Mobile devices like smartphones and tablets are essentially powerful, pocket-sized computers. Capturing their volatile memory is a significant part of mobile forensics.
- Operating system differences: iOS and Android have different security models and file systems, meaning the techniques for memory acquisition can vary quite a bit.
- Encryption: Modern mobile devices heavily rely on encryption, both for data at rest and sometimes for data in transit. This can make accessing memory much harder, as you might need decryption keys or bypass encryption mechanisms.
- Rooting/Jailbreaking: To get full access to a mobile device’s memory, you often need to gain elevated privileges, which might involve rooting an Android device or jailbreaking an iOS device. This process itself can alter the device’s state.
- Physical vs. Logical Acquisition: Memory acquisition is typically part of a physical acquisition, where you’re trying to get a bit-for-bit copy of the device’s storage, including RAM. Logical acquisition, on the other hand, only gets the data the operating system makes available through its APIs.
- Tools: Specialized mobile forensic tools are usually required. These tools are designed to interact with the device’s operating system and hardware in specific ways to extract data, including volatile memory.
These advanced scenarios highlight that memory forensics isn’t a one-size-fits-all discipline. It requires adapting techniques and tools based on the specific environment and device you’re investigating.
Post-Capture Analysis of Volatile Data
So, you’ve managed to grab a snapshot of that volatile memory. That’s a big step, but honestly, the real work is just beginning. Now comes the part where you sift through all that captured data to figure out what actually happened. It’s like finding a needle in a haystack, but the needle could be a piece of malware or evidence of a data breach.
Identifying Malicious Processes and Artifacts
First off, you’ll want to look for anything that shouldn’t be running. This means spotting processes that are using a lot of resources unexpectedly, or ones with strange names or locations. Sometimes, malware tries to hide by mimicking legitimate system processes. You’re also looking for signs of rootkits, which are particularly sneaky because they try to hide their own activity and maintain privileged access. Tools can help here by comparing the running processes against known good lists or looking for suspicious behaviors. It’s all about finding those anomalies that point to something malicious.
Extracting Network Connections and Credentials
Next up, let’s talk about what the system was doing on the network. Memory dumps can reveal active network connections, including IP addresses and ports. This is super useful for seeing if the system was talking to a command-and-control server or if data was being sent out to an unknown destination. Beyond just connections, you’re also hunting for any credentials that might have been stored in memory. This could include passwords, encryption keys, or session tokens that attackers might have grabbed. Finding these can give you a direct path to other compromised systems or accounts. It’s a bit like finding the keys to the kingdom.
Reconstructing User Activity
Finally, you want to piece together what a user was actually doing. Memory analysis can show you recently executed commands, open files, and even fragments of documents or web pages that were in use. This helps build a timeline of events and understand the user’s actions leading up to or during an incident. It’s not always straightforward, as much of this data can be fragmented or overwritten quickly. However, by correlating different pieces of information, you can often get a pretty clear picture of user activity. This part is key for understanding the scope and impact of an incident.
The analysis of volatile memory is a detailed process. It requires careful examination of processes, network activity, and user actions to uncover hidden threats and reconstruct events. Each piece of data, no matter how small, can contribute to a larger understanding of what occurred.
Here’s a quick look at what you might be searching for:
- Suspicious processes (e.g., unusual names, high CPU usage)
- Network connections to unknown IPs or ports
- Stored credentials (passwords, tokens)
- Recently executed commands
- Open files and application artifacts
This process often involves using specialized forensic tools that can parse the memory image and present the information in a more digestible format. It’s a critical step in incident response, helping to understand the full story behind a security event and inform containment strategies.
It’s important to remember that memory is volatile for a reason. Data disappears when power is lost, which is why capturing it quickly and analyzing it thoroughly is so important. Sometimes, you might even find evidence of advanced techniques like fileless malware, which lives only in memory and doesn’t leave traditional files on disk. This makes memory forensics an indispensable part of modern digital investigations.
Mitigating Risks During Memory Acquisition
When you’re grabbing a snapshot of volatile memory, things can get a little dicey. The whole point is to get a true picture of what’s happening on a system, but the process itself can mess things up. We need to be careful not to change the very data we’re trying to collect. It’s like trying to take a photo of a moving car – you want to freeze the moment, not blur it out.
Ensuring System Stability
First off, we don’t want to crash the system we’re investigating. If the machine goes down unexpectedly, we might lose valuable information or even corrupt what we’ve already gathered. Tools and methods should be chosen to minimize the load on the target system. Think about running a lightweight script rather than a heavy application. Sometimes, you might need to use specialized hardware that can copy memory without heavily interacting with the operating system.
- Use read-only acquisition methods whenever possible. This prevents accidental writes to the memory.
- Test acquisition tools on non-critical systems first. This helps identify potential stability issues before using them in a live investigation.
- Monitor system resources closely during acquisition. Keep an eye on CPU, memory, and disk usage to spot any signs of strain.
Preventing Data Tampering
This is a big one. We need to make sure that no one, not even us accidentally, changes the memory image after it’s captured. This is where the chain of custody comes into play. Once the data is off the system, it needs to be protected. This means using secure storage, limiting access to the image file, and documenting every step taken.
The integrity of the captured memory image is paramount. Any alteration, intentional or not, can render the evidence inadmissible or misleading. Strict protocols must be followed from the moment of acquisition through to analysis.
Secure Handling of Sensitive Information
Memory dumps can contain all sorts of sensitive stuff – passwords, encryption keys, personal data. It’s not just about protecting the integrity of the data, but also its confidentiality. Access to these memory images should be restricted to authorized personnel only. Encryption of the memory image itself, both in transit and at rest, is a good practice, especially if it needs to be stored for a long time or shared with other teams. We also need to think about how we dispose of this data when it’s no longer needed, following proper data destruction policies. This is especially important when dealing with systems that might have been compromised through something like malvertising.
Here’s a quick rundown of what to keep in mind:
- Access Control: Only authorized investigators should have access to the memory image. Use strong authentication and authorization mechanisms.
- Encryption: Encrypt the memory image file using strong encryption algorithms, especially if it will be stored or transmitted.
- Secure Storage: Store the memory image on secure, access-controlled storage media. Avoid storing it on easily accessible or networked drives without proper protection.
- Documentation: Maintain detailed logs of who accessed the memory image, when, and for what purpose. This supports the chain of custody.
Integrating Memory Capture into Incident Response
When a security incident happens, grabbing a snapshot of a system’s volatile memory can be a game-changer. It’s not just about seeing what’s running right now, but also about uncovering hidden threats that might vanish if you just reboot the machine. Think of it like catching a suspect in the act, rather than just looking at the crime scene later.
Real-Time Memory Analysis During Incidents
During an active incident, getting a memory dump quickly is key. This allows your incident response team to see exactly what processes are active, what network connections are open, and what data might be in transit. This immediate insight helps in making faster decisions about containment and eradication. For example, if you see a suspicious process consuming a lot of resources or communicating with a known bad IP address, you can shut it down right away. This kind of real-time data can significantly shorten the time it takes to get a handle on the situation. It’s about getting ahead of the attacker before they can cover their tracks or cause more damage. A well-defined incident response plan is vital here, outlining the steps for identifying and triaging security alerts.
Using Memory Forensics for Threat Hunting
Beyond active incidents, memory forensics is a powerful tool for proactive threat hunting. You can periodically capture memory from critical systems and analyze it offline. This helps in finding subtle signs of compromise that might have been missed by automated tools. Maybe there’s a piece of malware that only runs in memory and doesn’t write anything to disk, or perhaps an attacker has injected malicious code into a legitimate process. Memory analysis can reveal these hidden activities. It’s a way to look for the ‘needle in the haystack’ that could indicate a long-term compromise or a stealthy attacker. This approach helps in understanding the broader threat landscape affecting your organization.
Automating Memory Capture Workflows
Manually capturing and analyzing memory can be time-consuming, especially in large environments. Automating parts of this process can make a big difference. This could involve setting up scripts to automatically dump memory from systems when certain alerts are triggered, or using specialized tools that can collect memory data remotely. Automation also helps in standardizing the collection process, which is important for maintaining data integrity and making sure your analysis is consistent. It frees up your security team to focus on the actual analysis and response, rather than getting bogged down in repetitive tasks. The goal is to make memory capture a routine part of your security operations, not an afterthought.
Here’s a look at how memory capture fits into different stages of incident response:
| Stage of Incident Response | Role of Memory Capture |
|---|---|
| Detection | Identifying suspicious processes, network connections, and loaded modules that automated tools might miss. |
| Containment | Providing evidence of malicious activity to justify isolating systems or blocking network traffic. |
| Eradication | Revealing persistence mechanisms or injected code that needs to be removed. |
| Recovery | Verifying that malicious elements have been fully removed before bringing systems back online. |
| Post-Incident Review | Providing detailed artifacts for root cause analysis and lessons learned. |
Emerging Trends in Volatile Memory Forensics
The field of volatile memory forensics is always changing, and there are a few new things popping up that are pretty interesting. We’re seeing a lot more focus on how to handle memory dumps from systems that are really complex, like virtual machines and even those tiny embedded devices we use every day. Plus, the way we analyze this data is getting smarter, with AI starting to play a role.
AI-Assisted Memory Analysis
Artificial intelligence is starting to make its way into memory forensics. Think of it like having a super-smart assistant that can sift through massive amounts of memory data way faster than a human could. AI can help spot patterns that might indicate malicious activity, like unusual process behavior or hidden code. It’s not about replacing the forensic analyst, but more about giving them tools to work more efficiently and find things that might otherwise be missed. This can speed up investigations significantly.
Cloud-Based Memory Acquisition
As more systems move to the cloud, acquiring memory from them presents new challenges. Cloud environments are dynamic, and traditional methods don’t always work. New techniques are being developed to capture memory from virtual machines and containers running in cloud platforms. This often involves using APIs provided by the cloud provider or specialized agents that can run within the cloud environment to grab that memory snapshot without disrupting the running services too much.
Encrypted Memory Capture Challenges
Encryption is great for protecting data, but it can make memory forensics tricky. If the system’s memory itself is encrypted, getting useful data out of a dump can be really difficult. Researchers are working on ways to handle this, sometimes by trying to decrypt the memory if keys can be recovered or by developing techniques that can analyze encrypted data without fully decrypting it. It’s a tough problem because the whole point of encryption is to make data unreadable without the key.
Here’s a quick look at how these trends might impact investigations:
| Trend | Potential Impact on Investigations |
|---|---|
| AI-Assisted Analysis | Faster identification of threats, reduced manual effort |
| Cloud-Based Acquisition | Ability to investigate cloud-native incidents effectively |
| Encrypted Memory Challenges | Need for new decryption or analysis techniques, potential data loss |
The landscape of digital evidence is constantly shifting. Staying ahead means adapting our tools and methods to match the evolving technologies and threats we face. Memory forensics is no exception, and these emerging trends highlight the ongoing innovation in the field.
Wrapping Up
So, we’ve talked a lot about how tricky it can be to grab hold of volatile memory. It’s not exactly like picking up a dropped coin; it disappears pretty fast. We looked at different ways attackers might try to get at it, and why it’s so important for defenders to get there first. Whether it’s for figuring out what went wrong after an incident or trying to catch bad guys in the act, getting that memory data is a big deal. It’s a tough job, for sure, but knowing how it works helps us all stay a bit safer online.
Frequently Asked Questions
What is volatile memory, and why is it important to capture it?
Volatile memory, like RAM, is where a computer keeps information it’s actively using. Think of it as a desk where you put things you need right now. When the power goes off, everything on that desk disappears. Capturing this memory is like taking a snapshot of that desk before it gets cleared. It’s super important in computer investigations because it can hold clues about what a computer was doing, like running programs, passwords, or network connections, that might not be saved anywhere else.
What makes capturing volatile memory tricky?
Grabbing information from volatile memory is tough for a few reasons. First, it’s super fast-changing, so you have to be quick. Second, the very act of trying to capture it can sometimes change the memory itself, potentially messing up the evidence. Also, the data is often spread out and not nicely organized, making it hard to find what you need.
What are the main ways to capture volatile memory?
There are a few main methods. One is to take a ‘live dump’ while the computer is still running, which is like a quick photo. Another is called a ‘cold boot attack,’ where you quickly restart a powered-off computer to try and grab the memory before it fully clears. You can also capture memory over a network if you can’t access the computer directly.
Are there special tools for capturing memory?
Yes, there are! Some tools are free and open for anyone to use, like Volatility or Rekall. Others are part of bigger, professional software packages that investigators use. There are even special hardware devices designed to help capture memory very quickly and reliably.
Can you capture memory from virtual computers or phones?
Absolutely! Capturing memory from virtual machines (computers running inside other computers) is common, and there are specific ways to do it. It’s also possible, though often more complicated, to capture memory from mobile devices and smaller embedded systems, like smart appliances.
What happens after the memory is captured?
Once you have the memory snapshot, investigators analyze it to find important information. They look for hidden programs, clues about who was using the computer, what websites they visited, and any secret passwords or network details that might have been floating around in memory.
How do investigators make sure the memory data isn’t changed?
Keeping the data safe and unchanged is crucial. Investigators use techniques to make sure the computer they’re working on is as undisturbed as possible. They also carefully track who handles the data and when, creating a ‘chain of custody’ to prove it hasn’t been tampered with.
What’s the difference between live memory capture and a cold boot attack?
A live memory capture happens while the computer is running normally. It’s faster but might miss some things or be slightly altered by the running system. A cold boot attack involves shutting down the computer and then quickly starting it up in a special way to grab the memory contents before they fade away. This can sometimes get more complete data but is more complex to perform.