Skip to main content

Data acquisition

๐Ÿ“… Published: 2026-05-19 16:58 | ๐Ÿ”„ Last Updated: 2026-05-22 12:33


Memory collectionโ€‹

Because the lab is built based on VMware infrastructure, to collect memory from labโ€™s hosts, itโ€™s easier to just copy the .vmem and .vmss from the host folders.

In real-world scenarios, itโ€™s preferable to use professional data acquisition tools such as: DumpIt, or Belkasoft RAM Capturer,โ€ฆ

Disk collectionโ€‹

For simplicity and because i wonโ€™t use autopsy to reconstruct files, so i would use KAPE on WS01 and for disk acquisition.

tip

The best practice is to use a USB with portable KAPE installed, and load the extracted evidence to the USB itself

The same process is applied for DC01

All the evidence are collected! Letโ€™s head to the core part of the project