How to do it…

The steps for Windows memory acquisition using Belkasoft Ram Capturer are as follows:

1. The first thing you must do is learn what kind of system you are dealing with x32 or x64. It's really easy to do right-click Computer and choose Properties. In our case, it's x64. So our choice is RamCapture64.exe.
2. After starting, we will get information about the physical memory page size and its total size.
3. Now select the output folder path make sure it's your flash drive and not the local system drive.
4. After that just click Capture!

As a result, we get a file with .mem extension of the same size as the total physical memory. By default, you have the date of acquisition as the filename, but we highly recommend renaming it, and adding more information for identification purposes: operating system version, edition, computer name, and other information.

That's it! The image is ready for further analysis with memory forensics tools.