Collect-MemoryDump – Automated Creation of Windows Memory Snapshots for DFIR
Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).
Features:
- Checks for Hostname and Physical Memory Size before starting memory acquisition
- Checks if you have enough free disk space to save memory dump file
- Collects a Raw Physical Memory Dump w/ DumpIt, Magnet Ram Capture, Belkasoft Live RAM Capturer and WinPMEM
- Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
- Pagefile Collection w/ CyLR – Live Response Collection tool by Alan Orlikoski and Jason Yegge
- Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
- Collects BitLocker Recovery Key
- Checks for installed Endpoint Security Tools (AntiVirus and EDR)
- Enumerates all necessary information from the target host to enrich your DFIR workflow
- Creates a password-protected Secure Archive Container (PW: IncidentResponse)
First Public Release
MAGNET Talks – Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/
Download
Download the latest version of Collect-MemoryDump from the Releases section.
Note: Collect-MemoryDump does not include all external tools by default.
You have to download following dependencies:
Copy the required files to following file locations:
Belkasoft Live RAM Capturer$SCRIPT_DIRToolsRamCapturerx64msvcp110.dll$SCRIPT_DIRToolsRamCapturerx64msvcr110.dll$SCRIPT_DIRToolsRamCapturerx64RamCapture64.exe$SCRIPT_DIRToolsRamCapturerx64RamCaptureDriver64.sys$SCRIPT_DIRToolsRamCapturerx86msvcp110.dll$SCRIPT_DIRToolsRamCapturerx86msvcr110.dll$SCRIPT_DIRToolsRamCapturerx86RamCapture.exe$SCRIPT_DIRToolsRamCapturerx86RamCaptureDriver.sys
Comae-Toolkit$SCRIPT_DIRToolsDumpItARM64DumpIt.exe$SCRIPT_DIRToolsDumpItx64DumpIt.exe$SCRIPT_DIRToolsDumpItx86DumpIt.exe
MAGNET Encrypted Disk Detector$SCRIPT_DIRToolsEDDEDDv310.exe
MAGNET Ram Capture$SCRIPT_DIRToolsMRCMRCv120.exe
Usage
.Collect-MemoryDump.ps1 [-Tool] [–Pagefile]
Example 1 – Raw Physical Memory Snapshot
.Collect-MemoryDump.ps1 -DumpIt
Example 2 – Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.Collect-MemoryDump.ps1 -Comae
Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
Example 3 – Raw Physical Memory Snapshot and Pagefile Collection → MemProcFS
.Collect-MemoryDump.ps1 -WinPMEM –Pagefile
Fig 1: Help Message
Fig 2: Check Available Space
Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture
Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM
Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer
Fig 7: Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)
Fig 8: Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR
Fig 9: Message Box
Fig 10: Secure Archive Container (PW: IncidentResponse) and Logfile.txt
Fig 11: Output Directories
Fig 12: Memory Directories (WinPMEM and Pagefile)
Fig 13: Memory Snapshot (in a forensically sound manner)
Fig 14: Pagefile Collection
Fig 15: Collected System Information
Dependencies
7-Zip 22.01 Standalone Console (2022-07-15)
https://www.7-zip.org/download.html
Belkasoft Live RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer
DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit
https://magnetidealab.com/
https://beta.comae.tech/
CyLR 3.0 (2021-02-03)
https://github.com/orlikoski/CyLR
Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://support.magnetforensics.com/s/free-tools
Magnet RAM Capture v1.2.0 (2019-07-24)
https://www.magnetforensics.com/resources/magnet-ram-capture/
https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools
PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon
WinPMEM 4.0 RC2 (2020-10-12)
https://github.com/Velocidex/WinPmem/releases
Links
Belkasoft Live RAM Capturer
Comae-Toolkit incl. DumpIt
CyLR – Live Response Collection Tool
MAGNET Encrypted Disk Detector
MAGNET Ram Capture
WinPMEM
