Comparison of Memory Acquisition Software for Windows

1. Methodology

The tools

Since Medium does not officially support tables yet, I have posted them as pictures in this article.

When executing each tool, it was ensured that the same processes were running to have a common baseline when conducting the analysis. The machine was connected to the Internet when memory was acquired. They were evaluated based on the following criteria:

1. User interface and customizability

2. Acquisition time

3. Occupied memory according to Task Manager

4. Loaded DLLs

5. Registry changes and invoked files

6. Portable software

1.1 Output

DumpIt
Live RAM Capturer
FTK Imager
Magnet RAM Capture

The above screenshots display the output from the four tools. The discrepancy in size between the captures from DumpIt and other tools is because of the file formats. DumpIt uses .dmp which is a memory dump file whereas all the other tools output in raw format which can result in larger output files than the actual size of physical RAM installed (BlackBag, 2016).

DumpIt also offers the option to capture memory in raw format as shown below although the developers discourage it. DumpIt’s statistics in the following section is based on its memory dump file capture and not raw capture as that is the tool’s default output format.

2. Discussion

2.1 User interface and customizability

Belkasoft provides the option to specify the output location and has a button called “Capture” that is used to start the memory acquisition process. It does not provide the option to name the output, although this can be renamed later.

Magnet RAM Capture also provides the option to specify the path and name of the output. In addition, it offers the option to split the capture into 500MB, 1GB, 2B or 4GB segments. All these tools display a progress bar as well.

DumpIt was executed via PowerShell. Out of the tools tested, DumpIt provides the most variety of options through its commands.

2.2 Acquisition time

Acquisition time
DumpIt .json
DumpIt
Belkasoft RAM Capturer
FTK Imager
Magnet RAM Capture

FTK Imager was the quickest, with Belkasoft just a couple of seconds behind. Despite being a command line tool, DumpIt took the longest time.

2.3 Occupied memory according to Task Manager

Task Manager was used to monitory memory usage. Except for DumpIt, the memory usage of the tools remained consistent throughout the imaging process. DumpIt results in a small peak at the end of the process, which may be attributed to the creation of a .json file containing metadata regarding the capture as it is the only tool to output such a file.

Memory usage according to Task Manager

2.4 Loaded DLLs

Process Explorer was used to identify loaded DLLs (froglogic, 2020).

RamCapture64, despite being a GUI tool, invoked the least number of DLLs. DumpIt being a command line tool invoked the second least number of DLLs. The other two GUI tools invoked more than 100 DLLs. FTK Imager loaded the highest number of DLLs. This could be expected as it is a GUI tool that offers various functionalities apart from just capturing memory. Screenshots aren’t provided for this metric as there are too many records.

Loaded DLLs

2.5 Registry changes and invoked files

Process Monitor was used to identify modified registry keys and invoked files. The filter ‘RegSetValue’ was applied to Process Monitor to identify registry keys modified by the processes (Heddings, 2019). The filter ‘CreateFile’ was applied to Process Monitor to identify files invoked by the processes. Screenshots aren’t provided for this metric as there are too many records.

Registry changes and invoked files

The order of ranking of tools is the same compared to loaded DLLs.

2.6 Portable software

Portable software

3. Evaluation

Evaluation

I find it hard to give an overall ranking for all the tools since I would have to assign a weighted grade for each metric which can be quite subjective. Yet, it is quite evident that based on the four metrics above, Belkasoft’s Live RAM Capturer is the best memory acquisition tool out of the four tools. That being said, this comparison is obviously not exhaustive.

References

froglogic, 2020. Getting a list of DLLs currently loaded in a process. [Online]
Available at: https://kb.froglogic.com/misc/getting-list-of-loaded-dlls/
[Accessed 21 December 2020].

Heddings, L., 2019. SysInternals Pro: Using Process Monitor to Troubleshoot and Find Registry Hacks. [Online]
Available at: https://www.howtogeek.com/school/sysinternals-pro/lesson5/
[Accessed 20 December 2020].

Philosophy | Poetry

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store