Collect-MemoryDump is automated Creation of Windows Memory Snapshots for DFIR. Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).
MAGNET Talks – Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/
Download the latest version of Collect-MemoryDump from the Releases section.
Note: Collect-MemoryDump does not include all external tools by default.
You have to download following dependencies:
Copy the required files to following file locations:
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe
$SCRIPT_DIR\Tools\EDD\EDDv310.exe
$SCRIPT_DIR\Tools\MRC\MRCv120.exe
.\Collect-MemoryDump.ps1 [-Tool] [–Pagefile]
Example 1 – Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt
Example 2 – Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae
Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
Example 3 – Raw Physical Memory Snapshot and Pagefile Collection → MemProcFS
.\Collect-MemoryDump.ps1 -WinPMEM –Pagefile
Fig 1: Help Message
Fig 2: Check Available Space
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture
Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM
Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)
Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR
Fig 9: Message Box
Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt
Fig 11: Output Directories
Fig 12: Memory Directories (WinPMEM and Pagefile)
Fig 13: Memory Snapshot (in a forensically sound manner)
Fig 14: Pagefile Collection
Fig 15: Collected System Information
Pip is the official package manager for Python and the standard way to install libraries from…
R is an open-source programming language and environment built for statistical computing and data visualization. It…
Jenkins is an open-source automation server that makes it easy to build CI/CD pipelines. Continuous integration…
Android Studio is the official IDE for Android development, built on JetBrains' IntelliJ IDEA platform. It…
GitLab is a web-based, open-source Git repository manager written in Ruby. It includes built-in tools for…
Anaconda is the most widely used Python distribution for data science and machine learning. It bundles…