In this blog, we learn how to recover the data for RAM memory. This the part of the dead analysis of the digital forensic investigation. Constable Clark: Mr.Sherlock!! We had a case for you, A Company had reported a data theft case where confidential data of the company is compromised. We already identified some of the suspects by analysing the companies logs. Chief of police wants you to look into the case. Sherlock: Watson lets visit the company and create an image of RAM and let's analyse the data. Software required to create the image of RAM: FTK Imager . Step 1: Install, FTK Imager in victim computer. Step 2: Open FTK Imager and Click on capture the memory. Step 3: Browse the location for the location to save the dump file, then click capture memory. Watson: Sherlock, All the files are backed up into the hard drive. Sherlock: Lets, Analyze them in the Forensics workstation. Workstation requirements: Kail Linux , Volatility installed in it. To install Volatility , sudo apt-