Memory Acquisition — Baseline Captures and Evidence Integrity

Memory Acquisition

Memory acquisition is the step that decides whether you can investigate at all. When the alert fires and the workstation needs to be reimaged for the morning board meeting, the thirty minutes between "we need to acquire" and "we have an image" determines whether the investigation that follows is possible. Memory forensics is operational baseline per MF0, but only if acquisition is operational baseline first — and that's the gap this module closes. Acquisition as a standard IR step, not a specialist exception. Acquisition under time pressure, business constraint, and uncertain attacker state. Acquisition from Windows and Linux systems, from hypervisors, from environments where the attacker actively resists capture.

This module builds on MF0's acquisition-trigger framework and produces the evidence that MF2 through MF9 analyze in depth. By the end, you'll have captured memory from both Target-Win and Target-Linux, verified the images structurally, assessed smear, documented the acquisitions to legal-readiness standard, and produced the baseline images every subsequent module compares against.

What you will learn

• The acquisition problem — smear, order of volatility, and why perfect acquisition doesn't exist. Every method trades off fidelity, footprint, and feasibility. The decision frame that determines the correct method for any given target.
• WinPmem — the open-source Windows acquisition standard. Driver architecture, execution procedure, five production failure modes (elevation, Tamper Protection, HVCI, disk space, format), and the four-step capture sequence.
• LiME and AVML — Linux acquisition with kernel-module version coupling (LiME) and userspace capture without version constraints (AVML). When each is the right tool, and LiME's network-capture mode for minimal disk footprint.
• Hypervisor-based acquisition — suspend the VM from outside, copy the .vmem file, resume. Zero smear, zero guest footprint. The gold standard when hypervisor access is available, and the default method for this course's lab.
• Pagefile and swap as memory-adjacent evidence — what pagefile.sys, hiberfil.sys, and Linux swap contain forensically, how to collect them alongside RAM, and how Volatility 3's --swap flag enables page resolution for paged-out data.
• Acquisition verification and integrity — what the SHA-256 hash actually proves for memory images (file integrity, not source fidelity), the four structural checks beyond hashing, and the acquisition record template that satisfies ACPO, CPR 35, and Daubert simultaneously.
• Smear detection and acquisition quality — three techniques for measuring smear (process-list cross-validation, structure-field consistency, timestamp-span analysis) and the per-finding assessment discipline that distinguishes smear from attacker activity.
• Anti-acquisition techniques — anti-VM detection, memory wiping, acquisition-tool detection, and evidence degradation. What each looks like, how to detect it, and the operational countermeasures.
• Clean baseline captures — producing the two documented baseline images (Windows and Linux) that every paid module's attack-modified capture is compared against.

Prerequisites

MF0 (Memory Forensics Landscape and Lab Setup) is a hard prerequisite. The four acquisition triggers, the six-phase workflow, the three-tier confidence framework, and the legal context from MF0.8 are assumed knowledge throughout MF1. A practitioner starting this module without MF0 will find the acquisition decisions feel arbitrary — they aren't; they're driven by the framework MF0 establishes. Work through MF0 first.