MemoryDump – Automated Creation Of Home windows Reminiscence Snapshots For DFIR

November 6, 2022

1

Gather-MemoryDump – Automated Creation of Home windows Reminiscence Snapshots for DFIR

Gather-MemoryDump.ps1 is PowerShell script utilized to gather a Reminiscence Snapshot from a stay Home windows system (in a forensically sound method).

Options:

Checks for Hostname and Bodily Reminiscence Measurement earlier than beginning reminiscence acquisition
Checks when you’ve got sufficient free disk area to save lots of reminiscence dump file
Collects a Uncooked Bodily Reminiscence Dump w/ DumpIt, Magnet Ram Seize, Belkasoft Dwell RAM Capturer and WinPMEM
Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Concept Lab
Pagefile Assortment w/ CyLR – Dwell Response Assortment software by Alan Orlikoski and Jason Yegge
Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
Collects BitLocker Restoration Key
Checks for put in Endpoint Safety Instruments (AntiVirus and EDR)
Enumerates all obligatory data from the goal host to complement your DFIR workflow
Creates a password-protected Safe Archive Container (PW: IncidentResponse)

First Public Launch

MAGNET Talks – Frankfurt, Germany (July 27, 2022)
Presentation Title: Fashionable Digital Forensics and Incident Response Methods
https://www.magnetforensics.com/

Obtain

Obtain the newest model of Gather-MemoryDump from the Releases part.

Observe: Gather-MemoryDump doesn’t embrace all exterior instruments by default.

It’s important to obtain following dependencies:

Copy the required recordsdata to following file places:

Belkasoft Dwell RAM Capturer
$SCRIPT_DIRToolsRamCapturerx64msvcp110.dll
$SCRIPT_DIRToolsRamCapturerx64msvcr110.dll
$SCRIPT_DIRToolsRamCapturerx64RamCapture64.exe
$SCRIPT_DIRToolsRamCapturerx64RamCaptureDriver64.sys
$SCRIPT_DIRToolsRamCapturerx86msvcp110.dll
$SCRIPT_DIRToolsRamCapturerx86msvcr110.dll
$SCRIPT_DIRToolsRamCapturerx86RamCapture.exe
$SCRIPT_DIRToolsRamCapturerx86RamCaptureDriver.sys

Comae-Toolkit
$SCRIPT_DIRToolsDumpItARM64DumpIt.exe
$SCRIPT_DIRToolsDumpItx64DumpIt.exe
$SCRIPT_DIRToolsDumpItx86DumpIt.exe

MAGNET Encrypted Disk Detector
$SCRIPT_DIRToolsEDDEDDv310.exe

MAGNET Ram Seize
$SCRIPT_DIRToolsMRCMRCv120.exe

Utilization

.Gather-MemoryDump.ps1 [-Tool] [–Pagefile]

Instance 1 – Uncooked Bodily Reminiscence Snapshot
.Gather-MemoryDump.ps1 -DumpIt

Instance 2 – Microsoft Crash Dump (.zdmp) → optimized for importing to Comae Investigation Platform
.Gather-MemoryDump.ps1 -Comae

Observe: You’ll be able to uncompress *.zdmp recordsdata generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Instance 3 – Uncooked Bodily Reminiscence Snapshot and Pagefile Assortment → MemProcFS
.Gather-MemoryDump.ps1 -WinPMEM –Pagefile

Fig 1: Assist Message

Fig 2: Verify Obtainable Area

Fig 3: Automated Creation of Home windows Reminiscence Snapshot w/ DumpIt

Fig 4: Automated Creation of Home windows Reminiscence Snapshot w/ Magnet RAM Seize

Fig 5: Automated Creation of Home windows Reminiscence Snapshot w/ WinPMEM

Fig 6: Automated Creation of Home windows Reminiscence Snapshot w/ Belkasoft Dwell RAM Capturer

Fig 7: Automated Creation of Home windows Reminiscence Snapshot w/ DumpIt (Microsoft Crash Dump)

Fig 8: Automated Creation of Home windows Reminiscence Snapshot w/ WinPMEM and Pagefile Assortment w/ CyLR

Fig 9: Message Field

Fig 10: Safe Archive Container (PW: IncidentResponse) and Logfile.txt

Fig 11: Output Directories

Fig 12: Reminiscence Directories (WinPMEM and Pagefile)

Fig 13: Reminiscence Snapshot (in a forensically sound method)

Fig 14: Pagefile Assortment

Fig 15: Collected System Info

Dependencies

7-Zip 22.01 Standalone Console (2022-07-15)
https://www.7-zip.org/obtain.html

Belkasoft Dwell RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer

DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit
https://magnetidealab.com/
https://beta.comae.tech/

CyLR 3.0 (2021-02-03)
https://github.com/orlikoski/CyLR

Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/assets/encrypted-disk-detector/
https://help.magnetforensics.com/s/free-tools

Magnet RAM Seize v1.2.0 (2019-07-24)
https://www.magnetforensics.com/assets/magnet-ram-capture/
https://help.magnetforensics.com/s/software-and-downloads?productTag=free-tools

PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon

WinPMEM 4.0 RC2 (2020-10-12)
https://github.com/Velocidex/WinPmem/releases

Hyperlinks

Belkasoft Dwell RAM Capturer
Comae-Toolkit incl. DumpIt
CyLR – Dwell Response Assortment Device
MAGNET Encrypted Disk Detector
MAGNET Ram Seize
WinPMEM

MAGNET Concept Lab – Apply To Be a part of

Previous articleThese time-saving apps can restore your workspace after shutting down your laptop computer

Next articleWhy Is This Trending Time Sequence Stationary? | by Ning Jia | Nov, 2022

MemoryDump – Automated Creation Of Home windows Reminiscence Snapshots For DFIR

First Public Launch

Obtain

Utilization

Dependencies

Hyperlinks

Hackers Abusing MS Dynamics 365 Buyer Voice to Steal Credentials

Hash-Cracker – A Small Util To Brute-Pressure Prefetch Hashes

Microsoft Warns of Uptick in Hackers Leveraging Publicly-Disclosed 0-Day Vulnerabilities

LEAVE A REPLY Cancel reply

Most Popular

wp question – WP_Query by meta key not returning any posts

Why Is This Trending Time Sequence Stationary? | by Ning Jia | Nov, 2022

These time-saving apps can restore your workspace after shutting down your laptop computer

10 Greatest Ratchet Straps To Safe Cargo On The Autos

Recent Comments

ABOUT US

POPULAR POSTS

wp question – WP_Query by meta key not returning any posts

Why Is This Trending Time Sequence Stationary? | by Ning Jia | Nov, 2022

These time-saving apps can restore your workspace after shutting down your laptop computer

POPULAR CATEGORY