Ethical Hacking News Hubb
Advertisement Banner
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact
No Result
View All Result
Wellnessnewshubb
No Result
View All Result
Home News

MemoryDump – Automated Creation Of Windows Memory Snapshots For DFIR

admin by admin
November 6, 2022
in News




Collect-MemoryDump – Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Pagefile Collection w/ CyLR – Live Response Collection tool by Alan Orlikoski and Jason Yegge
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

First Public Release

MAGNET Talks – Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern
Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/

Download

Download the latest version of Collect-MemoryDump from the Releases section.

Note: Collect-MemoryDump does not include all external tools by default.

You have to download following dependencies:

Copy the required files to following file locations:

Belkasoft Live RAM Capturer
$SCRIPT_DIRToolsRamCapturerx64msvcp110.dll
$SCRIPT_DIRToolsRamCapturerx64msvcr110.dll
$SCRIPT_DIRToolsRamCapturerx64RamCapture64.exe
$SCRIPT_DIRToolsRamCapturerx64RamCaptureDriver64.sys
$SCRIPT_DIRToolsRamCapturerx86msvcp110.dll
$SCRIPT_DIRToolsRamCapturerx86msvcr110.dll
$SCRIPT_DIRToolsRamCapturerx86RamCapture.exe
$SCRIPT_DIRToolsRamCapturerx86RamCaptureDriver.sys

Comae-Toolkit
$SCRIPT_DIRToolsDumpItARM64DumpIt.exe
$SCRIPT_DIRToolsDumpItx64DumpIt.exe
$SCRIPT_DIRToolsDumpItx86DumpIt.exe

MAGNET Encrypted Disk Detector
$SCRIPT_DIRToolsEDDEDDv310.exe

MAGNET Ram Capture
$SCRIPT_DIRToolsMRCMRCv120.exe

Usage

.Collect-MemoryDump.ps1 [-Tool] [–Pagefile]

Example 1 – Raw Physical Memory Snapshot
.Collect-MemoryDump.ps1 -DumpIt

Example 2 – Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Example 3 – Raw Physical Memory Snapshot and Pagefile Collection → MemProcFS
.Collect-MemoryDump.ps1 -WinPMEM –Pagefile

Fig 1: Help Message

Fig 2: Check Available Space

Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM

Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

Fig 9: Message Box

Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt

Fig 11: Output Directories

Fig 12: Memory Directories (WinPMEM and Pagefile)

Fig 13: Memory Snapshot (in a forensically sound manner)

Fig 14: Pagefile Collection

Fig 15: Collected System Information

Dependencies

7-Zip 22.01 Standalone Console (2022-07-15)
https://www.7-zip.org/download.html

Belkasoft Live RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer

DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit
https://magnetidealab.com/
https://beta.comae.tech/

CyLR 3.0 (2021-02-03)
https://github.com/orlikoski/CyLR

Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://support.magnetforensics.com/s/free-tools

Magnet RAM Capture v1.2.0 (2019-07-24)
https://www.magnetforensics.com/resources/magnet-ram-capture/
https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools

PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon

WinPMEM 4.0 RC2 (2020-10-12)
https://github.com/Velocidex/WinPmem/releases

Links

Belkasoft Live RAM Capturer
Comae-Toolkit incl. DumpIt
CyLR – Live Response Collection Tool
MAGNET Encrypted Disk Detector
MAGNET Ram Capture
WinPMEM


MAGNET Idea Lab – Apply To Join





Source link

Tags: cybersecurityethical hackinghack androidhack apphack wordpresshacker newshackinghacking tools for windowskeyloggerkitkitploitpassword brute forcepenetration testingpentestpentest androidpentest linuxpentest toolkitpentest toolsspy tool kitspywaretools
Previous Post

How to watch Mushoku Tensai from anywhere

Next Post

Medibank Refuses to Pay Ransom After 9.7 Million Customers Exposed in Ransomware Hack

Next Post

Medibank Refuses to Pay Ransom After 9.7 Million Customers Exposed in Ransomware Hack

Recommended

ProtonVPN vs IPVanish: Which VPN Wins?

5 months ago

Malicious Google Play Store App Spotted Distributing Xenomorph Banking Trojan

5 months ago

© Ethical Hacking News Hubb All rights reserved.

Use of these names, logos, and brands does not imply endorsement unless specified. By using this site, you agree to the Privacy Policy and Terms & Conditions.

Navigate Site

  • Home
  • News
  • Ethical Hackers
  • Contact

Newsletter Sign Up.

No Result
View All Result
  • Home
  • News
  • Ethical Hackers
  • Contact

© 2022 Ethical Hacking News Hubb All rights reserved.