Blog Details

Introduction

For DFIR teams and incident responders, the first hour of an investigation often hinges on one fragile artefact: the contents of a system's RAM. Volatile memory holds the live state of a machine — running processes, open network connections, malware that never touched disk, and sometimes the very keys that unlock encrypted volumes. The moment the machine is powered off, that evidence is gone. Once you have captured a memory image, you need a clean way to record how it was taken and to prove the image has not changed since. A memory acquisition certificate is that record. This article explains what it contains, why volatile memory matters, and how e-Dex (formerly Hash Calculator) produces one on your own machine.

What Is a Memory Acquisition Certificate

A memory acquisition certificate is a short, structured document that attests to two things: that the volatile memory of an identified system was acquired using a recorded tool and method, and that the cryptographic hash of the resulting memory image is faithfully reproduced. It does not claim to interpret what the memory contains — that is the work of analysis. Its job is narrower and more durable: to fix, in one verifiable page, the circumstances of the capture and the fingerprint of the image, so that anyone who later receives the image can confirm it is exactly what was acquired. It is the volatile-memory companion to the disk and file-level evidence integrity certificate.

What's Inside It

The certificate gathers the facts a reviewer needs to trust the capture. Drawing on a real e-Dex template, a memory acquisition certificate records:

System identity — the source device that was captured, by name, type, make and model (for example a Dell OptiPlex desktop workstation), so the image is tied to a specific machine.
Capture tool and method — the acquisition tool used (such as a named RAM capture utility and version), together with the recorded system state, for example "powered on, user logged in," and the acquisition timestamp.
Memory image size — the size of the RAM that was captured and the size in bytes of the resulting image file, so the artefact is unambiguous.
Image hash — the cryptographic hash (for example SHA-256) computed over the memory image, listed in an annexure alongside a per-file verification status.
Integrity seal — an overall SHA-256 seal computed over the sealed content of the certificate itself, so any later edit to the document is detectable.
Declaration — a signed statement that the volatile memory was acquired using the tool and method recorded, that the hash values were computed with e-Dex, and that the verification result reflects the integrity of the image against the recorded values.

Why Volatile Memory Matters

Disk forensics is mature and well understood, but a great deal of modern evidence never persists to disk at all. Fileless and in-memory malware runs entirely in RAM. Encryption keys, decrypted documents and plaintext passwords often live only in memory while a session is active. The full list of running processes and live network connections — who the machine was talking to, and how — is a memory artefact. All of this is volatile: it vanishes when power is lost. That is why responders follow the order of volatility, capturing the most fragile evidence first. RAM sits near the very top of that list, ahead of disk images, which is why a clean, certified memory capture is so often the difference between a usable investigation and a dead end. For the wider role of hashing in this workflow, see our guide to the role of hashing in digital forensics.

How e-Dex Generates the Certificate

e-Dex does not capture the RAM itself — you take the memory image with a dedicated acquisition tool, then bring the resulting image file to e-Dex. From there the flow is straightforward. Open the Certificate Generator and choose the Memory Acquisition template. Fill in the fields: the source device details, the capture tool and method, the system state and acquisition time, and the memory image file, which e-Dex hashes locally. Review the populated certificate, then optionally sign it with a PAdES digital signature using a Digital Signature Certificate on a USB token and timestamp it with an RFC-3161 trusted timestamp. Finally, export the certificate as a PDF. Every step except the optional timestamp runs entirely on your own Windows machine, so the memory image never leaves your control.

Verifying the Certificate Offline

A certificate is only as useful as the ability to check it later. To verify the capture, recompute the cryptographic hash of the memory image with e-Dex and compare it against the image hash listed in the annexure — if every byte matches, the image is the one that was acquired. To verify the certificate document itself, recompute SHA-256 over its sealed content and confirm the result equals the integrity seal printed on the page; any change to the text breaks the seal. Where the certificate was signed and timestamped, a standard PDF reader can validate the PAdES signature and the RFC-3161 timestamp. All of these checks work without an internet connection, which matters in secure or air-gapped environments.

Frequently Asked Questions

What is a memory acquisition certificate?
A memory acquisition certificate is a short, structured document that records how the volatile memory (RAM) of a system was captured and reproduces the cryptographic hash of the resulting memory image. It identifies the source device, the acquisition tool and method, the image size and the system state, then seals those details with an integrity hash so the capture can be verified later. It is the volatile-evidence counterpart to a disk imaging or file integrity certificate.

Why is volatile memory important in digital forensics?
RAM holds evidence that exists nowhere on disk: running processes, network connections, injected or fileless malware, decrypted data and, in many cases, encryption keys and passwords. Because that state disappears the moment a machine is powered off, RAM sits near the top of the order of volatility and should be captured before shutting down or imaging the disk. A memory acquisition certificate records that the capture was taken and preserves its hash.

Does e-Dex capture the RAM itself?
No. You capture the memory image with a dedicated acquisition tool such as a RAM imager, then point e-Dex at the resulting image file. e-Dex computes the cryptographic hash of that image, records the acquisition details you enter and produces the certificate. It documents and seals the integrity of the capture; it does not perform the live acquisition.

Does generating a memory acquisition certificate require an internet connection?
No. e-Dex runs fully offline on your own Windows machine. Hashing the memory image, filling in the template and generating the certificate all happen locally, so the image never leaves your computer. An internet connection is only needed if you choose to apply an RFC-3161 trusted timestamp from a Time-Stamping Authority.

How do I verify a memory acquisition certificate offline?
Recompute the cryptographic hash of the memory image with e-Dex and compare it against the image hash printed on the certificate. To check the certificate document itself, recompute SHA-256 over the sealed content and confirm it equals the integrity seal stated on the page. If the certificate was PAdES signed and RFC-3161 timestamped, a PDF reader can validate the signature and timestamp. All of this works without an internet connection.

Conclusion

Volatile memory is among the richest and most perishable evidence an investigator will ever handle, and a capture is only as defensible as the record behind it. A memory acquisition certificate turns a fleeting RAM image into a documented, hash-sealed artefact: this image, from this machine, taken this way, with this fingerprint. If you also need disk and file-level proof, our forensic examination certificate guide covers the broader picture. You can produce a memory acquisition certificate in minutes, offline, on a single Windows machine with e-Dex — the Digital Evidence Integrity Suite. Download it free and start certifying your captures.