Join Us!

Script for remote m...
 
Notifications
Clear all

Script for remote memory dump  

  RSS
Bunnysniper
(@bunnysniper)
Active Member

Hello,

Does anyone have a Windows script (Powershell or bat/cmd) file to remotely
- generate a memory dump
- write it back to the caller workstation OR a mapped network drive
- for a single machine

I need such a script and would make my own one but if someone else already did the work, I would be happy to get a copy of such a script -)

regards,
Robin

Quote
Posted : 02/01/2019 3:27 pm
pr3cur50r
(@pr3cur50r)
Junior Member

Hi Robin,

Not sure if you've had any joy with this but I had a quick look online and found the following

https://github.com/n3l5/irMempull

I'd advise writing the memory dump locally and use snappy compression with winpmem. This is simply for speed and to avoid smear when capturing the image. Writing to a network location could slow the memory dump down.

Cheers

ReplyQuote
Posted : 16/01/2019 11:02 pm
Bunnysniper
(@bunnysniper)
Active Member

Hi Robin,

Not sure if you've had any joy with this but I had a quick look online and found the following

https://github.com/n3l5/irMempull

I'd advise writing the memory dump locally and use snappy compression with winpmem. This is simply for speed and to avoid smear when capturing the image. Writing to a network location could slow the memory dump down.

Cheers

Thanks for the link, it was new for me. Of course I googled for tools and scripts before I posted my question, but I missed this one. For me it is important to write over the network, because a drive and file analysis is mostly done after the memory acquisition. I simply do not want a 16GB memory dump overwriting files and artifacts locally which are perhaps key to success in my investigation.

So my approach is now to modify this script in a way it uses a mapped network drive as a target.
regards,
Robin

ReplyQuote
Posted : 18/01/2019 5:57 pm
pr3cur50r
(@pr3cur50r)
Junior Member

Understood. These are always calculated decisions. However, if the system has an SSD you're likely to run into issues with trim and deleted data anyway.

Which artefacts are you expecting to be overwritten when performing a memory dump locally to the system?

Obviously, I have no understanding of the type of case you're working through or the specific reason you wish to acquire the memory dump. In saying this, unless it is a criminal investigation or there's specific data you expect to recover from deleted space then there's really no reason why you can't take a memory dump locally to the box or to an external disk, provided you can explain your decision process and the changes this will make.

If it is imperative that you capture a memory dump, then I believe your priority should be capturing a fast, clean one.

Good luck!

ReplyQuote
Posted : 22/01/2019 11:58 pm
Share: