±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35388
New Yesterday: 3 Visitors: 118

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Script for remote memory dump

Forensic software discussion (commercial and open source/freeware). Strictly no advertising.
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Bunnysniper
Senior Member
 

Script for remote memory dump

Post Posted: Jan 02, 19 10:27

Hello,

Does anyone have a Windows script (Powershell or bat/cmd) file to remotely:
- generate a memory dump
- write it back to the caller workstation OR a mapped network drive
- for a single machine

I need such a script and would make my own one but if someone else already did the work, I would be happy to get a copy of such a script Smile

regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

pr3cur50r
Member
 

Re: Script for remote memory dump

Post Posted: Jan 16, 19 18:02

Hi Robin,

Not sure if you've had any joy with this but I had a quick look online and found the following:

github.com/n3l5/irMempull

I'd advise writing the memory dump locally and use snappy compression with winpmem. This is simply for speed and to avoid smear when capturing the image. Writing to a network location could slow the memory dump down.

Cheers  
 
  

Bunnysniper
Senior Member
 

Re: Script for remote memory dump

Post Posted: Jan 18, 19 12:57

- pr3cur50r
Hi Robin,

Not sure if you've had any joy with this but I had a quick look online and found the following:

github.com/n3l5/irMempull

I'd advise writing the memory dump locally and use snappy compression with winpmem. This is simply for speed and to avoid smear when capturing the image. Writing to a network location could slow the memory dump down.

Cheers

Thanks for the link, it was new for me. Of course I googled for tools and scripts before I posted my question, but I missed this one. For me it is important to write over the network, because a drive and file analysis is mostly done after the memory acquisition. I simply do not want a 16GB memory dump overwriting files and artifacts locally which are perhaps key to success in my investigation.

So my approach is now to modify this script in a way it uses a mapped network drive as a target.
regards,
Robin
_________________
--
All opinions are mine and are not necessarily the opinions of my employer. 
 
  

pr3cur50r
Member
 

Re: Script for remote memory dump

Post Posted: Jan 22, 19 18:58

Understood. These are always calculated decisions. However, if the system has an SSD you're likely to run into issues with trim and deleted data anyway.

Which artefacts are you expecting to be overwritten when performing a memory dump locally to the system?

Obviously, I have no understanding of the type of case you're working through or the specific reason you wish to acquire the memory dump. In saying this, unless it is a criminal investigation or there's specific data you expect to recover from deleted space then there's really no reason why you can't take a memory dump locally to the box or to an external disk, provided you can explain your decision process and the changes this will make.

If it is imperative that you capture a memory dump, then I believe your priority should be capturing a fast, clean one.

Good luck!  
 

Page 1 of 1