Collect-MemoryDump icon indicating copy to clipboard operation
Collect-MemoryDump copied to clipboard

Published 20 hours ago verified publisher icon evild3ad

Metadata

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release

MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/

Download

Download the latest version of Collect-MemoryDump from the Releases section.

Usage

.\Collect-MemoryDump.ps1 [-Tool] [--skip]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Help-Message
Fig 1: Help Message

AvailableSpace
Fig 2: Check Available Space

DumpIt
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

RamCapture
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

SkipCompressing
Fig 5: The time-consuming task of compressing the memory snapshot can be skipped (if needed)

WinPMEM
Fig 6: Automated Creation of Windows Memory Snapshot w/ WinPMEM

Comae
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

MessageBox
Fig 8: Message Box

SecureArchive
Fig 9: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

Directories
Fig 10: Output Directories

Memory
Fig 11: Memory Snapshot (in a forensically sound manner)

SystemInfo
Fig 12: Collected System Information

Links

Comae-Toolkit incl. DumpIt
MAGNET Ram Capture
WinPMEM

Comae
MAGNET Idea Lab - Apply To Join

Metadata

211
Stars
26
Forks
Watchers

Owner

verified publisher icon evild3ad

Metadata

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

Back