Data acquisition
๐ Published: 2026-05-19 16:58 | ๐ Last Updated: 2026-05-22 12:33
Memory collectionโ
Because the lab is built based on VMware infrastructure, to collect memory from labโs hosts, itโs easier to just copy the .vmem and .vmss from the host folders.
In real-world scenarios, itโs preferable to use professional data acquisition tools such as: DumpIt, or Belkasoft RAM Capturer,โฆ
Disk collectionโ
For simplicity and because i wonโt use autopsy to reconstruct files, so i would use KAPE on WS01 and for disk acquisition.
tip
The best practice is to use a USB with portable KAPE installed, and load the extracted evidence to the USB itself

The same process is applied for DC01

All the evidence are collected! Letโs head to the core part of the project