Memory Forensics: How to Capture Memory for Analysis

Thursday, November 10, 2011

Dan Dieterle

B64e021126c832bb29ec9fa988155eaf

There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory.

Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

(click image to enlarge)

/uploads/remoteimg/500de6c0d0407b557c21fcaceeff4511.jpg

The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

Cross-posted from Cyber Arms

Possibly Related Articles:
30326
Network->General
Information Security
Memory Forensics Windows Tools Network Security Information Security Analysis DumpIt
Post Rating I Like this!
A6f413a75686867ef5010ac90b5ceef9
Chris Kimmel or you can just FTK imager... I mean it has actually been defended in court and is a viable tool...

load it up, go to file, select capture memory....

imager lite can be used from a flash drive

http://accessdata.com/support/adownloads
1321021294
B64e021126c832bb29ec9fa988155eaf
Dan Dieterle Very cool, thanks Chris!
1321034520
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.