Capturing Memory Dump
Introduction
In particular, in the case of Windows, acquiring and investigating a memory dump can provide information that is not on the disk or that is difficult to find from the disk.
For this reason, in Windows forensic investigations, it is recommended that memory dumps be acquired whenever possible.
Memory dump is a very useful volatile artefact that basically contains all important artifacts you could find during run time like processes and programs running on the system, network connections, evidence of malware intrusion, registry hives, usernames and passwords, decrypted files and keys, MFT and evidence of activity not typically stored on the local hard disk.
Memory dump acquisition tool
On Windows
WinPmem has been the default open source memory acquisition driver for windows for a long time. It used to live in the Rekall project, but has recently been separated into its own repository.
You can check the repo on Github
Usage
First download the windows binary depending on your machine arcitecture.
Open an elevated command prompt (run as administrator) then browse to the location of your downloaded binary.
- Execute WinPmem and write it to a raw image file.
1 | winpmem_mini_x64_rc2.exe memdump.raw |
Now you can use this memory dump file to analyze and investigate it.
Many tools can aid a security analyst or incident responder in performing memory analysis on a potentially compromised endpoint.
Often, when an analyst is triaging, time is of the essence, and the analyst needs to perform a quick assessment to determine the nature of a security event.
You can check this Medium Article of someone Using the FireEye RedLine to analyze the Memory Dumps
On Linux
AVML is a versatile, userland volatile memory acquisition tool designed for Linux systems, written in Rust and available as a static binary for X86_64 architectures. It allows users to capture memory without prior knowledge of the target OS distribution or kernel, eliminating the need for on-target compilation or fingerprinting.
Key Features:
- Flexible Storage Options: Save acquired memory images to external locations like Azure Blob Store or via HTTP PUT.
- Resilient Uploading: Features automatic retry with exponential backoff for uploading to Azure Blob Store, ensuring reliability even in the face of network issues.
- Optional Compression: Supports page-level compression using Snappy to reduce the size of captured data.
- Compatibility: Outputs in the LiME format when compression is not used, maintaining compatibility with established tools.
This tool simplifies the process of volatile memory acquisition across diverse Linux environments.
Usage :
Using
AVML
download the last release from GithubMake it executable and run
1 | > chmod +x avml |
You can check this article from OpenSource.com on how you can perform Linux memory forensics more in details.
Or this write up about Memory forensics with Volatility on Linux and Windows On HackTheBox’s Blog.
Finally
You can check this curated awesome list of Memory Forensics on Github
© 2024 - Sofiane Hamlaooui - Making the world a better place 🌎