memory volatility c...
 
Notifications
Clear all

memory volatility capture

10 Posts
6 Users
0 Likes
1,404 Views
(@jolintan)
Posts: 32
Trusted Member
Topic starter
 

we want to capture the server's memory dump, but we don't have forensic software, is there any free tool we can capture memory dump and save as *.img file, so we can check process list from it under memory volatility module? thanks

 
Posted : 29/08/2018 11:40 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

What OS and version is the server running?

 
Posted : 29/08/2018 11:45 am
(@jolintan)
Posts: 32
Trusted Member
Topic starter
 

sorry, we have on server with windows 2012 and one laptop running on windows7.

I want two image, one for each

 
Posted : 30/08/2018 11:19 am
(@aquachimere)
Posts: 32
Eminent Member
 

Hi

DumpIt or Magnet Capture… free tools

very easy to use it

 
Posted : 30/08/2018 11:35 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

If memory serves, I've also heard of folks using FTK Imager to acquire memory dumps, as well.

 
Posted : 30/08/2018 1:57 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

See below. I forgot to quote earlier.

 
Posted : 30/08/2018 5:36 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

If memory serves, I've also heard of folks using FTK Imager to acquire memory dumps, as well.

@keydet89, your memory is serving you. I have used FTK Imager for memory dumps.

 
Posted : 30/08/2018 5:37 pm
(@randomaccess)
Posts: 385
Reputable Member
 

If anyone's looking for a project, comparing the various tools (winpmem, dumpit, ftki, magnet ram capture, volexity) across newer Oss with larger amounts of ram that would be great

Would be good to know whether they're able to dump all of ram, and their footprint, plus likelihood of crashing the machine. The volexity guys are touting their tool as the most reliable, except it's paid.

 
Posted : 30/08/2018 11:49 pm
MDCR
 MDCR
(@mdcr)
Posts: 376
Reputable Member
 

If anyone's looking for a project, comparing the various tools (winpmem, dumpit, ftki, magnet ram capture, volexity) across newer Oss with larger amounts of ram that would be great

Would be good to know whether they're able to dump all of ram, and their footprint, plus likelihood of crashing the machine. The volexity guys are touting their tool as the most reliable, except it's paid.

I tried a bunch of dumpers earlier and the only one that was satisfactory was DumpIt.

I did try other free ones as well, but one of them failed to start (Belka), and another one (WinPMem) required me to convert the image to another format before volatility could use it, another required me to download the entire windows drivers dev kit(LiveKD).

All were tried with admin rights in Windows 7, ordinary enterprise laptops were used (4-8 gigs of ram). One of the dumpers also included the running processes and merged them with the image, i think it was WinPMem or DumpIt.

I also tried MDD (cannot remember what i thought about it) and Volatility can also do windows crashdumps IIRC.

For me, there is only one choice. Features does not matter when the main functionality does not work satisfactory.

 
Posted : 31/08/2018 7:48 am
(@randomaccess)
Posts: 385
Reputable Member
 

and another one (WinPMem) required me to convert the image to another format before volatility could use it

That's probably because it outputs to aff4 and you need to download something to get volatility to ingest the aff4 natively. I haven't looked into it but I don't think it's very painful to get working

 
Posted : 31/08/2018 8:40 am
Share: