Collect-MemoryDump | Automated Creation Of Windows Memory Snapshots For DFIR

  • Leechers leech but please contribute to community we need your support:)

Ruchika oberoi

Administrator
Staff member
Mar 27, 2022
4,040
200
63
011d2d604111b90d0172b6a0e8ce7878a1ff018c

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Pagefile Collection w/ CyLR - Live Response Collection tool by Alan Orlikoski and Jason Yegge
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release​

MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques


Download​

Download the latest version of Collect-MemoryDump from the section.

Note: Collect-MemoryDump does not include all external tools by default.
You have to download following dependencies:

Copy the required files to following file locations:

Belkasoft Live RAM Capturer
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys

Comae-Toolkit
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe

MAGNET Encrypted Disk Detector
$SCRIPT_DIR\Tools\EDD\EDDv310.exe

MAGNET Ram Capture
$SCRIPT_DIR\Tools\MRC\MRCv120.exe

Usage​

.\Collect-MemoryDump.ps1 [-Tool] [–Pagefile]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 - Raw Physical Memory Snapshot and Pagefile Collection →
.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile

01
Fig 1: Help Message

02
Fig 2: Check Available Space

03 1
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

04
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

05
Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM

06
Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

07
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

08
Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

09
Fig 9: Message Box

10
Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

11
Fig 11: Output Directories

12
Fig 12: Memory Directories (WinPMEM and Pagefile)

13
Fig 13: Memory Snapshot (in a forensically sound manner)

14
Fig 14: Pagefile Collection

15
Fig 15: Collected System Information

Dependencies​

7-Zip 22.01 Standalone Console (2022-07-15)


Belkasoft Live RAM Capturer (2018-10-22)


DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit

Cropped Magnet M logo 32x32
E Z7zENXEAEpWS6

Our mission is to create products that solve real challenges in digital forensics, law enforcement and cyber security.

Est. reading time: 1 minute



Logo

Cloud-based Memory Analysis Platform for Incident Response and Threat Hunting



CyLR 3.0 (2021-02-03)

You must be registered for see images

CyLR

CyLR - Live Response Collection Tool. Contribute to orlikoski/CyLR development by creating an account on GitHub.



Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)



Magnet RAM Capture v1.2.0 (2019-07-24)



PsLoggedOn v1.35 (2016-06-29)

Logo ms social

Benutzer anzeigen, die bei einem System angemeldet sind.



WinPMEM 4.0 RC2 (2020-10-12)

You must be registered for see images

WinPmem

The multi-platform memory acquisition tool. Contribute to Velocidex/WinPmem development by creating an account on GitHub.



Links​








6f6d616557656273697465325f31323030783637352e6a7067


GitHub:​

You must be registered for see images

Collect MemoryDump

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR - GitHub - evild3ad/Collect-MemoryDump: Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR