I'm gonna go through a simple demonstation, from obtaining RAM and tools you can use to analyze or carve files out of memory.
This is a windows based command line tool that can dump the contents of RAM fairly fast.
command: mdd.exe -o ramimage.img
After mdd has dumped the RAM, i then upload it to a typical linux distro for analysis (I use Backtrack 4).
I then can use the "strings" command and pipe the output to the "grep" command to search for keywords like 'password', 'vb_login', 'md5_password', 'confidential', 'secret' etc.
To get an idea of the websites browsed/visited in the time the machine was booted i like to use the following :
- #strings diskimage.img | grep "Visited:" |more
- #strings diskimage.img | grep "Referer:" |more
xxd can be a usefull utility that gives you an alternative way to view memory.
To carve files out of RAM i use scalpel or foremost. These programs allow you to carve files by first identifying special bytes that indicate the potential file types for files. The header and footer information may also be needed to carve out the entire file itself.
Autopsy is a more enterprise suite that combines ease of use and a nice interface into the methods that were discussed earlier. It groups investigations into cases and keeps everything you do organized. This tool is used by many professional organizations for investigating cyber crimnals, etc. but shouldn't be used by itself as an entire forensics solution.