If the computer you have to examinate has been shutdown, what is your best way to analyze volatile data ?

Question

Answer

Capture the RAM with a tool like FTK or WinPMEM

Answer

Download the Swapfile and the Pagefile : %SystemDrive%\pagefile.sys OR
%SystemDrive%\swapfile.sys

Answer

Restart the computer in a forensics environment

Answer

Collect the Kernel-mode
(crash) Dump files : %SystemRoot%\MEMORY.DMP

Answer

Get the Hibernation file : %SystemDrive%\hiberfil.sys

Crowdly