Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR
Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapshot from a live Windows system (incuding Pagefile Collection) in a forensically sound manner.
Features:
- ARM64 Support (MAGNET DumpIt for Windows and MAGNET Response)
- Checks for Hostname and Physical Memory Size before starting memory acquisition
- Checks if you have enough free disk space to save memory dump file
- Collects a Microsoft Crash Dump w/ MAGNET DumpIt for Windows
- Collects a Raw Physical Memory Dump w/ MAGNET DumpIt, MAGNET RAM Capture, Belkasoft Live RAM Capturer and WinPMEM
- Pagefile Collection w/ MAGNET Response → very useful when dealing with reflective PE injection techniques
- Collects Running Process/Module Information w/ MAGNET Response
- Checks for Encrypted Volumes w/ MAGNET Encrypted Disk Detector (EDD)
- Collects BitLocker Recovery Key
- Checks for installed Endpoint Security Tools (AntiVirus and EDR)
- Enumerates all necessary information from the target host to enrich your DFIR workflow
- Creates a password-protected Secure Archive Container (PW: IncidentResponse)
Tip
Automated Forensic Analysis of Windows Memory Dumps and corresponding Pagefiles w/ MemProcFS-Analyzer
MAGNET Talks - Frankfurt, Germany (July 27, 2022)
Presentation Title: Modern Digital Forensics and Incident Response Techniques
https://www.magnetforensics.com/
Download the latest version of Collect-MemoryDump from the Releases section.
Note
Collect-MemoryDump does not include all external tools by default.
You have to download following dependencies:
- Belkasoft Live RAM Capturer
- MAGNET DumpIt for Windows
- MAGNET Encrypted Disk Detector
- MAGNET RAM Capture
- MAGNET Response
Copy the required files to following file locations:
Belkasoft Live RAM Capturer
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCapture64.exe
$SCRIPT_DIR\Tools\RamCapturer\x64\RamCaptureDriver64.sys
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcp110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\msvcr110.dll
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCapture.exe
$SCRIPT_DIR\Tools\RamCapturer\x86\RamCaptureDriver.sys
MAGNET DumpIt for Windows
$SCRIPT_DIR\Tools\DumpIt\ARM64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x64\DumpIt.exe
$SCRIPT_DIR\Tools\DumpIt\x86\DumpIt.exe
MAGNET Encrypted Disk Detector
$SCRIPT_DIR\Tools\EDD\EDDv310.exe
MAGNET Ram Capture
$SCRIPT_DIR\Tools\MRC\MRCv120.exe
MAGNET Response
$SCRIPT_DIR\Tools\MagnetRESPONSE\MagnetRESPONSE.exe
Check out: Wiki: How-to-add-or-update-dependencies
.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile]
Example 1 - Collect Microsoft Crash Dump and Pagefile
.\Collect-MemoryDump.ps1 -Comae --Pagefile
Example 2 - Collect Raw Physical Memory Dump and Pagefile
.\Collect-MemoryDump.ps1 -DumpIt --Pagefile
Example 3 - Collect Raw Physical Memory Dump
.\Collect-MemoryDump.ps1 -WinPMEM
Important
Microsoft .NET Framework 4 (or later) must be installed on target system for MAGNET Encrypted Disk Detector and MAGNET Response. Simply skip the Pagefile Collection or download and install Microsoft .NET Framework 4 (Standalone Installer) from the Microsoft download site:
https://www.microsoft.com/en-us/download/details.aspx?id=17718
Important
MAGNET DumpIt for Windows does NOT support Windows 7 target systems. Please use any of the other memory acquisition tools when dealing with Windows 7.
Fig 1: Help Message
Fig 2: Check Available Space
Fig 3: Automated Creation of Windows Memory Snapshot w/ MAGNET DumpIt for Windows (incl. Pagefile)
Fig 4: Automated Creation of Windows Memory Snapshot w/ MAGNET DumpIt for Windows (incl. Pagefile)
Fig 5: Automated Creation of Windows Memory Snapshot w/ WinPMEM (incl. Pagefile)
Fig 6: Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer (incl. Pagefile)
Fig 7: Pagefile Collection w/ MAGNET Response
Fig 8: Collecting Running Process/Module Information w/ MAGNET Response
Fig 9: Message Box
Fig 10: MAGNET RAM Capture
Fig 11: Automated Creation of Windows Memory Snapshot w/ MAGNET RAM Capture
Fig 12: Message Box
Fig 13: Secure Archive Container (PW: IncidentResponse) and Logfile.txt
Fig 14: Output Directories
Fig 15: Memory Directories (DumpIt and Pagefile)
Fig 16: Memory Snapshot (in a forensically sound manner)
Fig 17: Pagefile and PageFileInfo
Fig 18: Pagefile Collection (in a forensically sound manner)
Fig 19: Collected System Information
7-Zip 23.01 Standalone Console (2023-06-20)
https://www.7-zip.org/download.html
Belkasoft Live RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer
MAGNET DumpIt for Windows (2023-01-17) → Comae-Toolkit-v20230117
https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/
https://support.magnetforensics.com/s/free-tools
MAGNET Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://support.magnetforensics.com/s/free-tools
MAGNET RAM Capture v1.2.0 (2019-07-24)
https://www.magnetforensics.com/resources/magnet-ram-capture/
https://support.magnetforensics.com/s/free-tools
MAGNET Response v1.7.0 (2023-04-28)
https://www.magnetforensics.com/resources/magnet-response/
https://support.magnetforensics.com/s/free-tools
PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon
WinPMEM 4.0 RC2 (2020-10-13)
https://github.com/Velocidex/WinPmem/releases
Belkasoft Live RAM Capturer
MAGNET DumpIt for Windows
MAGNET Encrypted Disk Detector
MAGNET RAM Capture
MAGNET Response
WinPMEM