Collect-MemoryDump
Collect-MemoryDump copied to clipboard
Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Collect-MemoryDump
Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).
Features:
- Checks for Hostname and Physical Memory Size before starting memory acquisition
- Checks if you have enough free disk space to save memory dump file
- Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM
- Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
- Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
- Collects BitLocker Recovery Key
- Checks for installed Endpoint Security Tools (AntiVirus and EDR)
- Enumerates all necessary information from the target host to enrich your DFIR workflow
- Creates a password-protected Secure Archive Container (PW: IncidentResponse)
First Public Release
MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/
Download
Download the latest version of Collect-MemoryDump from the Releases section.
Usage
.\Collect-MemoryDump.ps1 [-Tool] [--skip]
Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt
Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae
Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
Fig 1: Help Message
Fig 2: Check Available Space
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture
Fig 5: The time-consuming task of compressing the memory snapshot can be skipped (if needed)
Fig 6: Automated Creation of Windows Memory Snapshot w/ WinPMEM
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)
Fig 8: Message Box
Fig 9: Secure Archive Container (PW: IncidentResponse) and Logfile.txt
Fig 10: Output Directories
Fig 11: Memory Snapshot (in a forensically sound manner)
Fig 12: Collected System Information