Collect-MemoryDump : Automated Creation Of Windows Memory Snapshots For DFIR

Collect-MemoryDump is automated Creation of Windows Memory Snapshots for DFIR. Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features

• Checks for Hostname and Physical Memory Size before starting memory acquisition
• Checks if you have enough free disk space to save memory dump file
• Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
• Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
• Pagefile Collection w/ CyLR – Live Response Collection tool by Alan Orlikoski and Jason Yegge
• Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
• Collects BitLocker Recovery Key
• Checks for installed Endpoint Security Tools (AntiVirus and EDR)
• Enumerates all necessary information from the target host to enrich your DFIR workflow
• Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release

MAGNET Talks – Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/

Download

Download the latest version of Collect-MemoryDump from the Releases section.

Note: Collect-MemoryDump does not include all external tools by default.

You have to download following dependencies:

• Belkasoft Live RAM Capturer
• Comae-Toolkit
• MAGNET Encrypted Disk Detector
• MAGNET Ram Capture

Copy the required files to following file locations:

Belkasoft Live RAM Capturer

$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys

Comae-Toolkit

$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe

MAGNET Encrypted Disk Detector

$SCRIPT_DIR\Tools\EDD\EDDv310.exe

MAGNET Ram Capture

$SCRIPT_DIR\Tools\MRC\MRCv120.exe

Usage

.\Collect-MemoryDump.ps1 [-Tool] [–Pagefile]

Example 1 – Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 – Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 – Raw Physical Memory Snapshot and Pagefile Collection → MemProcFS
.\Collect-MemoryDump.ps1 -WinPMEM –Pagefile

Fig 1: Help Message

Fig 2: Check Available Space

Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM

Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

Fig 9: Message Box

Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

Fig 11: Output Directories

Fig 12: Memory Directories (WinPMEM and Pagefile)

Fig 13: Memory Snapshot (in a forensically sound manner)

Fig 14: Pagefile Collection

Fig 15: Collected System Information