# Memory [**volatility**](https://downloads.volatilityfoundation.org/releases/2.4/CheatSheet_v2.4.pdf) – An advanced *memory* forensics framework.\ **plugins**:\ – findevilproc (label possible new candidates) [**EVTXtract recovery**](https://github.com/williballenthin/EVTXtract) – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images. **helix3** (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd) [**FTK Imager**](https://accessdata.com/product-download/ftk-imager-version-4.2.0) – The *FTK Imager* tool is capable of both acquiring and analyzing computer forensic evidence. **AccessData FTK Imager** – Mount disks. [**Autopsy**](https://www.sleuthkit.org/autopsy/) – Autopsy is a digital forensics platform and graphical interface to [The Sleuth Kit®](https://www.sleuthkit.org/sleuthkit/index.php) and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card. **dumpit** – Windows live acquisition memory (a standalone app). [**Processdump**](https://github.com/glmcdona/Process-Dump) – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis. [**CheatEngine**](https://www.cheatengine.org/) – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte”) for the Windows operating system. [**PE-Sieve**](https://github.com/hasherezade/pe-sieve) – Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). [**Process Dump**](https://github.com/glmcdona/Process-Dump)**:** Windows tool for dumping malware PE files from memory back to disk for analysis. {% embed url="" %}