WinPMem

If you're not using an EDR or similar tool to streamline acquisition, consider using something like Belkasoft's RAM capture or WinPmem.

Official site; https://winpmem.velocidex.com/

From elevated command prompt;

C:\winver
(note Windows version and build version, example Windows 10 1909 18363
F:\>winpmem.exe -o Windows10_1909_18363.aff4 -dd

-o denotes output location
-dd denotes verbosity

Default is to acquire as AFF4 which is a compressed container.

Reference; https://schatzforensic.com/insideout/2017/03/aff4-standard-v1-0-released/ https://github.com/aff4 http://www2.aff4.org/

unzip Windows10_1909_18363.aff4
Directory: F:\Windows10_1909_18363
C%3A
PhysicalMemory
container.description
information.turtle
version.txt

C3A contains system files and drivers acquired during memory acquisition (to support analysis) PhysicalMemory is the physical memory stream container.description contains AFF4 container GUID information.turtle contains AFF4 stream data (drivers, physical memory, etc) version.txt contains information relating to version of winpmem which was executed.

PreviousDumpIt NextLinux / AVML

Last updated 5 years ago