Recover Image Files from Volatile Memory
Random-Access Memory (RAM) is a volatile form of computer memory that can be read and changed in any order, typically used to store working data and machine code.
A computer’s RAM stores data for short-term use. RAM works in conjunction with the hard drive, which takes care of long-term storage, to provide quick access to files that the computer is actively reading or writing.
In this article, demonstrate how to dump RAM image and recover files from image.
- For the demonstrate, open jpg file.
2.Get Image file of RAM using MAGNET RAM Capture
MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a computer. In application set save location and start. It will save as a .raw file.
(Download link - https://www.magnetforensics.com/resources/magnet-ram-capture/)
3.Open PhotoRec
Select .raw file to analyze and destination to save recovering files. Then click search.
(Download link - https://www.cgsecurity.org/wiki/PhotoRec)
It will recover files and save to given location.
In save location has some folders. These folders include recovered files what RAM holds.
Can get all these files which in folders. (.pdf,.txt, ico,.zip,.gz, .xml, etc. files which in RAM had)
Search and found our target .jpg file.
References
1. https://www.magnetforensics.com/resources/magnet-ram-capture/
2. https://www.cgsecurity.org/wiki/PhotoRec_Step_By_Step
3. https://searchstorage.techtarget.com/definition/RAM-random-access-memory
4. https://www.ghacks.net/2015/04/20/how-to-use-photorec-gui-to-recover-lost-digital-photos-and-files/
