The software for automated acquisition of live data and internal memory (RAM) without access to an administrator's account.

Problem Description
A majority of today's cyber attacks leave no digital traces on a computer's hard drive. They are called file-less attacks. But, the malicious code still hides and executes from the internal memory (RAM). Therefore, an incident investigator that only focuses on analysis of hard drives and log files will miss important information.

When there is a suspicion of intrusion on a computer, it is important to act directly. To get the best possible investigation data, it is important to "freeze the moment" to keep volatile data intact. It is also important to be able to quickly stop an ongoing intrusion. Many people have probably experienced that it might take some time to get technical help when a computer acts strange. Getting help is especially difficult when working remotely, as the computer must continue to be connected to the Internet in order for an IT technician to be able to connect, troubleshoot and manually acquire evidence. However, a computer's internal memory rapidly changes and digital tracks risk to disappear very fast. In addition, it is not recommended to give an attacker more time to read classified information or to start attacking other assets connected to the same computer network.

Using INCI, a non-privileged user can stop an ongoing attack and start securing evidence from the internal memory. The acquisition starts automatically after a double-click on a desktop icon or by pressing a shortcut using the keyboard. During incidents where the attacker remotely controls the mouse pointer, it is important to have a second alternative to the mouse clicks. The software is also useful in a server environment to standardize the acquisition process. It must be easy to do it right, even though the situation is stressful and the number of IT technicians are limited.

The product...

  • ... is easy to use and automates the acquisition of a computer's internal memory (RAM) together with other important live data.
  • ... includes features for automatically stopping an attack and ongoing network communication with an attacker.
  • ... is started by double-clicking a desktop icon or pressing a configurable shortcut on the keyboard.
  • ... does not require the user to have local administrator privileges.
  • ... unburdens and saves time for your IT support and operations technicians.
  • ... standardizes the acquisition process.
  • ... provides the best possible basic conditions for an incident investigation / memory forensic analysis.
  • ... executes on both client and server computers running Windows.
  • ... installs quick and easy using an MSI package.
  • ... is developed by a Digital Forensic Specialist at Dingard AB.

INCI has been used in several real-case scenarios and stopped attacks in early stages, e.g., during preparations of ransomware attacks. The use of our software has saved our clients a lot of money and strengthen their ability to act fast during security incidents.

A business license costs EUR 790 ex. VAT per year and can be installed on any number of computers within the organization. Only one business license is required per corporate registration number, i.e., a subsidiary needs a business license of its own.


Please, contact us if you have any questions and/or want a 20 minutes demo of the product.

Video clip in English