| Developers: | BelkaSoft (Belkasoft) |
| Last Release Date: | March, 2013 |
Content |
The Belkasoft company released in March, 2013 the tool allowing criminalists to remove an image of areas of RAM of the computers protected by the active systems of counteraction to debugging. The free Belkasoft RAM Capturer program is delivered complete with 32-and 64-bit drivers working in a kernel mode of the operating system.
Work in a kernel mode allows the program to bypass the protection set by the active systems of counteraction to debugging. As a result of Belkasoft RAM Capturer it is capable to receive an exact mold of areas of RAM which remain unavailable to the similar programs working in a user mode.
The image of memory received using Belkasoft RAM Capturer can be analyzed by a criminalistic product of Belkasoft Evidence Center company using the Live RAM Analysis function. The research of an image of RAM of the computer allows criminalists to detect the data which are not getting on the hard drive such as chats, communication on social networks and negotiations in on-line multiplayer games.
Removal of molds of RAM of the protected processes
Many programs, including popular multiplayer games and also the malware protect the processes from a research using debug tools. In such programs the active systems of counteraction to debugging capable to detect are used and in one way or another to prevent attempt of other programs to consider given from the areas of memory occupied by the protected processes. At best the attempt of use of the debugger does not work well - instead of the interesting researcher of information in the protected area zero or accidental data are detected. At worst there is a hangup of the computer making a further research by impossible.
Prevention of similar succession of events requires use of the tools working in a kernel mode of operating system kernel. Delivery of Belkasoft RAM Capturer includes 32-and 64-bit versions of the drivers working in a kernel mode and allowing to process correctly the areas of data belonging to the protected processes.
Comparison with analogs
Experts of "Belkasoft" held testing of popular products for removal of images of memory. The AccessData FTK Imager 3.0.0.1443, PMDump 1.2 programs and own product of the company - Belkasoft RAM Capturer were tested.
For testing the protected game Karos was selected. In the course of testing the game Karos was started, correspondence using an internal chat of a game was made. Then using one of tools, without bowling off, the attempt of removal of an image of memory was made.
As a result of testing it was found out that AccessData FTK Imager 3.0.0.1443 instead of intelligent data issued zero, and PMDump 1.2 could not consider the area of memory occupied by the protected process. Belkasoft RAM Capturer was the only tool which issued a correct and exact image of data of the protected process.
System requirements and compatibility
Belkasoft RAM Capturer is compatible to all 32-and 64-bit versions of Windows including Windows XP, Windows Vista, Windows 7 and 8, 2003 and 2008 Server. The program does not require installation and the flash drive can be started with external.
Cost
Belkasoft RAM Capturer is distributed for free.
| The site content is translated by machine translation software powered by PROMT. The machine-translated articles are not always perfect and may contain errors in vocabulary, syntax or grammar. Read original article If you find inaccuracies or errors in the results of machine translation, please write to editor@tadviser.ru. We will make every effort to correct them as soon as possible. |