Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).
Features:
- Checks for Hostname and Physical Memory Size before starting memory acquisition
- Checks if you have enough free disk space to save memory dump file
- Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
- Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
- Pagefile Collection w/ CyLR - Live Response Collection tool by Alan Orlikoski and Jason Yegge
- Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
- Collects BitLocker Recovery Key
- Checks for installed Endpoint Security Tools (AntiVirus and EDR)
- Enumerates all necessary information from the target host to enrich your DFIR workflow
- Creates a password-protected Secure Archive Container (PW: IncidentResponse)
First Public Release
MAGNET Talks - Frankfurt, Germany (July 27, 2022)Presentation Title: Modern Digital Forensics and Incident Response Techniques
You must be registered for see links
Download
Download the latest version of Collect-MemoryDump from the
You must be registered for see links
section.You have to download following dependencies:Note: Collect-MemoryDump does not include all external tools by default.
-
You must be registered for see links
-
You must be registered for see links
-
You must be registered for see links
-
You must be registered for see links
Belkasoft Live RAM Capturer
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys
Comae-Toolkit
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe
MAGNET Encrypted Disk Detector
$SCRIPT_DIR\Tools\EDD\EDDv310.exe
MAGNET Ram Capture
$SCRIPT_DIR\Tools\MRC\MRCv120.exe
Usage
.\Collect-MemoryDump.ps1 [-Tool] [–Pagefile]Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt
Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to
You must be registered for see links
.\Collect-MemoryDump.ps1 -Comae
Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
Example 3 - Raw Physical Memory Snapshot and Pagefile Collection →
You must be registered for see links
.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile
Fig 1: Help Message
Fig 2: Check Available Space
1
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture
Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM
Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)
Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR
Fig 9: Message Box
Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt
Fig 11: Output Directories
Fig 12: Memory Directories (WinPMEM and Pagefile)
Fig 13: Memory Snapshot (in a forensically sound manner)
Fig 14: Pagefile Collection
Fig 15: Collected System Information
Dependencies
7-Zip 22.01 Standalone Console (2022-07-15)
You must be registered for see links
Belkasoft Live RAM Capturer (2018-10-22)
You must be registered for see links
DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit
You must be registered for see links
You must be registered for see links
Our mission is to create products that solve real challenges in digital forensics, law enforcement and cyber security.Est. reading time: 1 minute
You must be registered for see links
You must be registered for see links
Cloud-based Memory Analysis Platform for Incident Response and Threat HuntingCyLR 3.0 (2021-02-03)
You must be registered for see images
You must be registered for see links
You must be registered for see links
CyLR - Live Response Collection Tool. Contribute to orlikoski/CyLR development by creating an account on GitHub.Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
You must be registered for see links
You must be registered for see links
Magnet RAM Capture v1.2.0 (2019-07-24)
You must be registered for see links
You must be registered for see links
PsLoggedOn v1.35 (2016-06-29)
You must be registered for see links
You must be registered for see links
Benutzer anzeigen, die bei einem System angemeldet sind.WinPMEM 4.0 RC2 (2020-10-12)
You must be registered for see images
You must be registered for see links
You must be registered for see links
The multi-platform memory acquisition tool. Contribute to Velocidex/WinPmem development by creating an account on GitHub.Links
You must be registered for see links
You must be registered for see links
You must be registered for see links
You must be registered for see links
You must be registered for see links
You must be registered for see links
You must be registered for see links
GitHub:
You must be registered for see images
You must be registered for see links