Memory Forensics: How to Capture Memory for Analysis

Thursday, November 10, 2011

Dan Dieterle


There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory.

Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

(click image to enlarge)


The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

Cross-posted from Cyber Arms

Possibly Related Articles:
Information Security
Memory Forensics Windows Tools Network Security Information Security Analysis DumpIt
Post Rating I Like this!
Chris Kimmel or you can just FTK imager... I mean it has actually been defended in court and is a viable tool...

load it up, go to file, select capture memory....

imager lite can be used from a flash drive
Dan Dieterle Very cool, thanks Chris!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.