Salient Logo
digital evidence collection

Digital evidence collection: Imaging vs RAM capture and associated challenges

The importance of accurate digital evidence collection

In digital forensics, every investigation is built on the same foundation – accurate digital evidence collection. This step isn’t just about finding information; it’s about preserving it in its original form so that it stands up in court as and when necessary.

Whether you’re working on a case of internal fraud, harassment, or something as intricate as intellectual property theft, the way evidence is collected always matters. If even a single file is altered, the investigation’s integrity can be compromised.

To manage this risk, digital forensics relies on specific techniques tailored to the type – and volatility – of data in question. Imaging and RAM capture are two main methods, each designed to address different needs in an investigation.

Let’s take a closer look.

Collecting digital evidence by imaging

Imaging is a digital evidence collection technique that involves making a forensically sound and repeatable copy of digital storage devices, such as internal, external and portable hard drives, memory cards, mobile devices, cloud storage repositories and even gaming consoles.

Imaging goes far beyond simply copying the visible files and metadata on a device, however. It can also recover deleted data (in as much detail as remains), search encrypted disks for hidden files, extract saved web passwords, and locate mobile backups on computers.

All of this data is preserved in its entirety, completely unaltered – a vital checkbox for ensuring evidence remains admissible.

Imaging is useful because it delivers:

  • A complete data snapshot: Imaging pulls everything off a device, including items a regular user wouldn’t be able to access.
  • Access to metadata: Metadata – such as file timestamps or modification details – can reveal key insights, like when a document was altered and by whom.
  • Encrypted data access: Imaging can even uncover encrypted sections, giving investigators a complete view of the device’s contents.

Typically, imaging is used for digital evidence collection in cases where investigators need to dig into the history of a device, recover deleted data, or build a comprehensive timeline.

Collecting digital evidence by RAM capture

RAM (Random Access Memory) capture, on the other hand, captures data that’s in a device’s volatile memory. Unlike the more permanent storage accessed in imaging, RAM is temporary, reflecting the system’s current state. This makes RAM capture especially valuable for cases where real-time information is crucial, like analysing active network connections, currently running processes, or encryption keys.

Once a device is shut down, all data in RAM disappears, so RAM capture needs to happen quickly.

RAM capture is useful because it delivers:

  • Real-time insights: RAM capture offers a snapshot of what’s actively happening on the system, like processes, network activity, and passwords.
  • Short-lived data preservation: Some data only exists in RAM momentarily, making it invaluable for capturing data in real time.
  • Complementary data to imaging: RAM capture rounds out imaging by offering a live snapshot that reveals activities not accessible through stored data alone.


Together, imaging and RAM capture give investigators the full picture, letting them examine both the history of a device and the active processes running on it. This is especially helpful for cases where user behaviour and real-time system activity need to be analysed together.

Key differences between the two types of digital evidence collection

Differences
Imaging
RAM Capture
Persistence
Data on storage devices is persistent.
Data in RAM is temporary and will be lost when system is shut down.
Scope
Imaging provides a comprehensive snapshot of all stored data and metadata.
RAM capture provides a snapshot of a system’s state and activities at a specific point in time.
Use cases
Ideal for historical analysis and recovering deleted/hidden files.
Essential for investigating live system activities, uncovering transient data, and complementing image capture.

Challenges of collecting digital evidence in forensic investigations

Despite the effectiveness of these techniques, digital forensics faces several challenges that can make accurate data collection a tough task. Here are some of the main issues forensic teams face:

  • Data encryption: Increasing use of encryption technologies can make it difficult to access and/or interpret data without the appropriate keys or credentials.
  • Data overload: Digital data has exploded in volume, and managing this massive amount of information requires advanced tools and serious processing power.
  • Legal compliance: Collection methods have to comply with legal standards to keep evidence admissible, especially with cross-border investigations that add layers of complexity.
  • Diversity in devices and operating systems: There is a huge variety of devices on the market, from smartphones to cloud storage. Each requires specialised tools and knowledge – particularly when it comes to mobile devices and their various operating systems.
  • Maintaining data integrity: Preserving data exactly as it was found is critical, as even minor alterations can damage its reliability. Strict protocols and specialised tools help ensure data remains unaltered.
  • Chain of custody: To prove authenticity, each piece of evidence needs a clear, documented trail from collection to courtroom, showing that it’s been handled responsibly (and collected with appropriate authority and justification).
  • Remote and mobile data collection: Pulling data from remote servers or mobile devices has its own challenges due to connectivity issues and different storage methods.
  • Time pressure: Some investigations need a quick turnaround, requiring forensic teams to act fast without compromising accuracy. This is where experience and reliable tools make all the difference.

How Salient supports digital evidence collection

At Salient, our forensic data collection services tackle these challenges head-on, making sure that data remains secure, intact, and court-ready. Our imaging and RAM capture services are available both on-premises and in our lab to meet the unique demands of every case.

We support our clients with:

  • Secure, defensible imaging and capture: Our imaging and RAM capture processes are thorough and meet strict industry standards, ensuring evidence stays intact and admissible.
  • Scalable capabilities: We can handle investigations of any size or complexity, whether you’re dealing with thousands of files or need data from multiple devices.
  • Advanced forensic analysis: Beyond collection, our forensic analysts can help uncover actionable insights, providing deep analysis to identify patterns, timelines, and potential evidence.


When it comes to digital forensics, selecting the right data collection method is essential to preserving evidence integrity. With Salient’s expertise, you can navigate the complex digital investigation landscape, confident that every step follows the highest standards. Get in touch >>

An Introduction to Digital Forensics:
from defensible collection to analysis and insights

Read more in our Digital Forensics series to explore the complexities of collections, processing and analysis in more detail, and gain practical insights into how we can help uncover the truth in even the most challenging cases.  

Introduction to digital forensics services – we share our thoughts on the applications and challenges.

Read more >>

What to collect and how – we explore the different data types and the importance of a defensible process.

Read more >>

Preservation of digital evidence – we share our best practices about preserving digital forensic evidence.

Read more >>

Digital forensics meets eDiscovery – we show how to use eDiscovery tools to analyse digital evidence and uncover hidden patterns.

Read more >>