How it works…

Belkasoft RAM Capturer operates in kernel mode (not in user mode like some other acquisition tools) with the help of 32-bit and 64-bit kernel drivers. It extracts the whole physical memory, even if it's protected, in a forensically sound manner, and saves it into a file with the .mem extension.