When responding to a security incident in a system, several basic principles must be followed regarding the collection of pieces of evidence from the system. The capture of these pieces of evidence has to be done according to its order of volatility. In this sense, RAM memory constitute the most important element to capture, given its extreme volatility. RAM memory must be acquired and analyzed because the data it holds, which may belong to the system itself or to any other device connected to it, can survive a certain amount of time in it. Since RAM is a constantly changing element, it must be stood out that any action carried on the system under analysis will modify the contents of the RAM. In this article a comparative and an objective analysis has been carried out, showing the impact that the execution of some tools for the capture of RAM has on the system. This comparative study details both the private shared workspaces, for each of the processes executed by each of the tools used.

DFIR; Digital Forensics; Incident Response; RAM Memory; Windows; Impact of tools

AccessData. (2010, October 06). FTK Imager Lite version 3.1.1. Retrieved September 03, 2020, from VIEW ITEM

AccessData. (n.d.). FTK Imager Lite (Version 3.1.1) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

Background recording settings in Captures on Windows 10. (n.d.). Retrieved September 03, 2020, from VIEW ITEM

Belkasoft. (n.d.). Capture Live RAM Contents with Free Tool from Belkasoft! Retrieved September 03, 2020, from VIEW ITEM

Brezinski, D., & Killalea, T. (2002). Guidelines for Evidence Collection and Archiving. Retrieved September 03, 2020, https://doi.org/10.17487/rfc3227

Cohen, M. (n.d.). WinPmem (Version 3.2) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

Cohen, M. (n.d.). WinPmem. Retrieved September 03, 2020, from VIEW ITEM

Download VirtualBox. (n.d.). Retrieved September 03, 2020, from VIEW ITEM

FireEye. (n.d.). Memoryze (Version 3.0) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

FireEye. (n.d.). Memoryze: Free Forensic Memory Analysis Tool. Retrieved September 03, 2020, from VIEW ITEM

Fuentes, M. (2019, March 21). First steps with Volatility. Retrieved September 03, 2020, from VIEW ITEM

Fuentes, M. (2020, March 13). OP Tanjawi: Forensic Techniques on Fire - Forensic Analysis to VirtualBox. Retrieved September 03, 2020, from VIEW ITEM

Get a Windows 10 development environment. (n.d.). Retrieved September 03, 2020, from VIEW ITEM

Magnet Forensics. (n.d.). MAGNET RAM Capture (Version 1.1.2) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

MAGNET RAM Capture. (n.d.). Retrieved 2019, from VIEW ITEM

Markruss. (2017, February 07). Windows Internals Book - Windows Sysinternals. Retrieved September 03, 2020, from VIEW ITEM

Mcleanbyron. (2018, May 31). Memory Management (Memory Management) - Win32 apps. Retrieved September 03, 2020, from VIEW ITEM

Microsoft Corporation. (2010, October 20). Memory Sizing Guidance for Windows 7. Retrieved September 03, 2020, from VIEW ITEM

PassMark® Software Pty Ltd. (n.d.). PassMark OSForensics - Digital Investigation. Retrieved September 03, 2020, from VIEW ITEM

Russinovich, M. (2011, May 19). Mysteries of Memory Management Revealed,with Mark Russinovich (Part 1 of 2). Retrieved September 03, 2020, from VIEW ITEM

Russinovich, M. (n.d.). Process Explorer (Version 16.22) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

Russinovich, M. (n.d.). Windows Sysinternals. Retrieved September 03, 2020, from VIEW ITEM

Stotts, B. (2016, February 11). Mdd. Retrieved September 03, 2020, from VIEW ITEM

Suiche, M. (2019, November 26). Your favorite Memory Toolkit is back... FOR FREE! Retrieved 2019, from VIEW ITEM

Suiche, M. (n.d.). DumpIt (Version 3.0.20190124.1) [Computer software]. Retrieved September 03, 2020, from VIEW ITEM

Welcome to VirtualBox.org! (n.d.). Retrieved September 03, 2020, from VIEW ITEM