Collect-MemoryDump | Automated Creation Of Windows Memory Snapshots For DFIR

[Ruchika oberoi]

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

• Checks for Hostname and Physical Memory Size before starting memory acquisition
• Checks if you have enough free disk space to save memory dump file
• Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
• Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
• Pagefile Collection w/ CyLR - Live Response Collection tool by Alan Orlikoski and Jason Yegge
• Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
• Collects BitLocker Recovery Key
• Checks for installed Endpoint Security Tools (AntiVirus and EDR)
• Enumerates all necessary information from the target host to enrich your DFIR workflow
• Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release​

MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques

You must be registered for see links

Download​

Download the latest version of Collect-MemoryDump from the

You must be registered for see links

section.

Note: Collect-MemoryDump does not include all external tools by default.

You have to download following dependencies:

• You must be registered for see links
• You must be registered for see links
• You must be registered for see links
• You must be registered for see links

Copy the required files to following file locations:

Belkasoft Live RAM Capturer
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys

Comae-Toolkit
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe

MAGNET Encrypted Disk Detector
$SCRIPT_DIR\Tools\EDD\EDDv310.exe

MAGNET Ram Capture
$SCRIPT_DIR\Tools\MRC\MRCv120.exe

Usage​

.\Collect-MemoryDump.ps1 [-Tool] [–Pagefile]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to

You must be registered for see links

.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 - Raw Physical Memory Snapshot and Pagefile Collection →

You must be registered for see links

.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile


Fig 1: Help Message


Fig 2: Check Available Space

1
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt


Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture


Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM


Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer


Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)


Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR


Fig 9: Message Box


Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt


Fig 11: Output Directories


Fig 12: Memory Directories (WinPMEM and Pagefile)


Fig 13: Memory Snapshot (in a forensically sound manner)


Fig 14: Pagefile Collection


Fig 15: Collected System Information

Dependencies​

7-Zip 22.01 Standalone Console (2022-07-15)

You must be registered for see links

Belkasoft Live RAM Capturer (2018-10-22)

You must be registered for see links

DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit

You must be registered for see links

You must be registered for see links

Our mission is to create products that solve real challenges in digital forensics, law enforcement and cyber security.

Est. reading time: 1 minute

You must be registered for see links

You must be registered for see links

Cloud-based Memory Analysis Platform for Incident Response and Threat Hunting



CyLR 3.0 (2021-02-03)

You must be registered for see images

You must be registered for see links

You must be registered for see links

CyLR - Live Response Collection Tool. Contribute to orlikoski/CyLR development by creating an account on GitHub.



Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)

You must be registered for see links

You must be registered for see links

Magnet RAM Capture v1.2.0 (2019-07-24)

You must be registered for see links

You must be registered for see links

PsLoggedOn v1.35 (2016-06-29)

You must be registered for see links

You must be registered for see links

Benutzer anzeigen, die bei einem System angemeldet sind.



WinPMEM 4.0 RC2 (2020-10-12)

You must be registered for see images

You must be registered for see links

You must be registered for see links

The multi-platform memory acquisition tool. Contribute to Velocidex/WinPmem development by creating an account on GitHub.

Links​

You must be registered for see links

You must be registered for see links

You must be registered for see links

You must be registered for see links

You must be registered for see links

You must be registered for see links

You must be registered for see links

GitHub:​

You must be registered for see images

You must be registered for see links

You must be registered for see links

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR - GitHub - evild3ad/Collect-MemoryDump: Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR