# Memory [**volatility**](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) – An advanced *memory* forensics framework.\ **plugins**:\ – findevilproc (label possible new candidates) [**EVTXtract recovery**](https://github.com/williballenthin/EVTXtract) – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. **helix3** (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd) [**FTK Imager**](https://accessdata.com/product-download/ftk-imager-version-4.2.0) – The *FTK Imager* tool is capable of both acquiring and analyzing computer forensic evidence. **AccessData FTK Imager** – Mount disks. [**Autopsy**](https://www.sleuthkit.org/autopsy/) – Autopsy is a digital forensics platform and graphical interface to [The Sleuth Kit®](https://www.sleuthkit.org/sleuthkit/index.php) and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card. **dumpit** – Windows live acquisition memory (a standalone app). [**Processdump**](https://github.com/glmcdona/Process-Dump) – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. [**CheatEngine**](https://www.cheatengine.org/) – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte”) for the Windows operating system. [**PE-Sieve**](https://github.com/hasherezade/pe-sieve) – Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). [**Process Dump**](https://github.com/glmcdona/Process-Dump)**:** Windows tool for dumping malware PE files from memory back to disk for analysis. {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://gitbook.seguranca-informatica.pt/tools-1/memory.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.