Is Magnet RAM Capture free?

Yes. Magnet Forensics distributes RAM Capture free for individual and enterprise use. It is not the same product as Magnet AXIOM, which is commercial.

What format does Magnet RAM Capture produce?

A raw physical memory image (.raw) where file offset equals physical address. This is the most portable format and is read natively by Volatility, Rekall, and ramparser.

Can I run Magnet RAM Capture remotely?

Not officially. It is a local GUI tool requiring console / RDP access. For remote acquisition at scale, consider WinPmem with a deployment system or a commercial endpoint.

Should I capture before or after isolating the host from the network?

Capture first, then isolate. Network isolation can trigger malware that detects loss of connectivity and self-deletes from memory. Acquire the live state, then isolate.

Magnet RAM Capture: a 2026 acquisition guide (and what to do next)

Magnet RAM Capture is a free, signed-driver memory acquisition tool from Magnet Forensics. It and DumpIt are the two defaults for Windows IR. This is the practical version: how to capture, what the output contains, and what to do with it next. For the broader context of where acquisition sits inside an investigation see the RAM forensics field guide and the side-by-side comparison of acquisition tools.

Why Magnet RAM Capture

Three reasons it became the de-facto default:

Free. Magnet distributes it at no cost, separate from the commercial AXIOM suite.
Signed driver. Critical on modern Windows with strict driver- signing enforcement. Unsigned acquisition tools simply will not load.
Raw output. A .raw is the most portable thing you can hand to an analyzer. Volatility 3, Rekall, and ramparser all read it natively. See memory dump file formats for the formats that need conversion first.

What the capture contains

A raw physical memory image — a byte-for-byte copy of the host's RAM where file offset equals physical address. That means everything running, hidden or visible, is in there:

Every process's address space (kernel + user).
Loaded modules, kernel callbacks, page tables.
Open file handles, network sockets, registry hives mapped into memory.
Plaintext credentials, decrypted secrets, in-memory malware.

That sensitivity is also why client-side analysis matters: a RAM image is the worst kind of file to ship to a third-party SaaS.

The capture procedure

The how-to schema above has the step-by-step. The notes that did not fit there:

Speed and size

Plan for ~1 GB/min on modern NVMe-backed external storage. A 32 GB system takes ~30 minutes. If the write target is slower (FAT32 over USB 2.0, network share) it will be worse. Always benchmark in lab conditions before relying on the number for court timelines.

What can go wrong

Driver fails to load. Almost always Secure Boot + driver-signing policy. Check whether a corporate EDR is blocking the Magnet driver.
Out of space mid-capture. The output is the full RAM size, so a 64 GB host needs at least 64 GB free on the target. Plan for 2×.
Write target is encrypted via the host. Do not write to a BitLocker volume on the host. You would be exercising the very stack you are trying to preserve.
Host crashes. Rare but possible on systems with aggressive memory protection (some HVCI configurations). Partial dumps are occasionally still useful.

Hashing and chain of custody

After the capture finishes:

Get-FileHash HOST01-2026-05-25T14-32Z.raw -Algorithm SHA256

Record:

Hostname and host serial / asset tag.
UTC capture start / end timestamps.
Capture tool + version (Magnet RAM Capture x.y.z).
Output filename + SHA-256.
Examiner name + organisation.
Reason for capture (incident ID, ticket number).

What to do with the dump

The dump on its own is just bytes. Real work starts on analysis. Two paths, in this order.

Fast triage with ramparser

Open the ramparser web app, click Select a RAM dump, pick the .raw. Within seconds you get:

A symbol-accurate process list (pslist, using PDB offsets).
A pool-scanned list (psscan) showing exited or unlinked processes.
psxview — the diff that flags DKOM-hidden processes.
pstree — parent / child hierarchy.
cmdline — exact command lines, from the PEB.
dlllist — loaded modules per process.
netscan — network endpoints.
modules — kernel modules, resolved via PDB globals.

Nothing is uploaded. The memory analysis workflow post covers what to do with the triage output once you have it.

Deep analysis with Volatility 3

When triage flags something, switch to Volatility 3:

# Process injection
vol -f HOST01.raw windows.malfind

# Timeline
vol -f HOST01.raw timeliner.Timeliner > timeline.csv

# YARA scan
vol -f HOST01.raw windows.yarascan.YaraScan --yara-file rules.yar

Volatility's plugin breadth is unmatched — the right tool for the deep dive.

Two recurring questions

Can it image a virtual machine?

It runs inside the guest, so it captures the guest's RAM only. For the host's memory you need host-level acquisition (a different tool entirely). For a VM you control, pausing the VM and grabbing the .vmem is faster and less invasive than running an in-guest agent.

Is the output the same as DumpIt's?

Both produce a raw physical image, but DumpIt can also emit Microsoft .dmp (crash-dump-shaped) output. For analyzer compatibility, prefer raw. Magnet RAM Capture is raw-only.

Where it fits in a wider acquisition kit

For Windows memory in 2026:

Capture with Magnet RAM Capture, write to external media, hash.
Triage with ramparser — open the .raw in your browser, read the verdict in seconds.
Deep-dive with Volatility 3 if triage flags anything.

You do not need to install anything to do step 2. That is the point.