Collect-MemoryDump v1.0 releases: Automated Creation of Windows Memory Snapshots for DFIR

by do son · Published · Updated

Windows Memory Snapshots
Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

Collect-MemoryDump

Collect-MemoryDump – Automated Creation of Windows Memory Snapshots for DFIR

Collect-MemoryDump.ps1 is a PowerShell script utilized to collect a Memory Snapshot from a live Windows system (in a forensically sound manner).

Features:

  • Checks for Hostname and Physical Memory Size before starting memory acquisition
  • Checks if you have enough free disk space to save the memory dump file
  • Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture, and WinPMEM
  • Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
  • Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
  • Collects BitLocker Recovery Key
  • Checks for installed Endpoint Security Tools (AntiVirus and EDR)
  • Enumerates all necessary information from the target host to enrich your DFIR workflow
  • Creates a password-protected Secure Archive Container (PW: IncidentResponse)

Usage

.\Collect-MemoryDump.ps1 [-Tool] [–skip]

Example 1 – Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 – Microsoft Crash Dump (.zdmp) → optimized for uploading to Comae Investigation Platform
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

Fig 1: Help Message

 

Fig 2: Check Available Space

 

Windows Memory Snapshots

Fig 3: Automated Creation of Windows Memory Snapshot w/ DumpIt

 

Fig 4: Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

 

Windows Memory Snapshots

Fig 5: The time-consuming task of compressing the memory snapshot can be skipped (if needed)

Changelog v1.0

Added: Pagefile Collection w/ Magnet RESPONSE v1.7.0
Added: Capturing Running Process/Module Information w/ Magnet RESPONSE v1.7.0
Added: Error Notification (MessageBox)
Added: Improved OS Fingerprinting
Added: Improved LastBoot and Uptime (when Fast Startup is enabled)
Update: 7-Zip 22.01 Standalone Console –> 7-Zip 23.01 Standalone Console (2023-06-20)
Fixed: Other minor fixes and improvements

Download

Copyright (C) 2022 evild3ad

Tags: Windows Memory Snapshots