WinPMem

If you're not using an EDR or similar tool to streamline acquisition, consider using something like Belkasoft's RAM capture or WinPmem.
Official site; https://winpmem.velocidex.com/​
From elevated command prompt;
C:\winver
(note Windows version and build version, example Windows 10 1909 18363
F:\>winpmem.exe -o Windows10_1909_18363.aff4 -dd
​
-o denotes output location
-dd denotes verbosity
Default is to acquire as AFF4 which is a compressed container. 
Reference;
https://schatzforensic.com/insideout/2017/03/aff4-standard-v1-0-released/
https://github.com/aff4
http://www2.aff4.org/​
​
unzip Windows10_1909_18363.aff4
Directory: F:\Windows10_1909_18363
C%3A
PhysicalMemory
container.description
information.turtle
version.txt
C3A contains system files and drivers acquired during memory acquisition (to support analysis)
PhysicalMemory is the physical memory stream
container.description contains AFF4 container GUID
information.turtle contains AFF4 stream data (drivers, physical memory, etc)
version.txt contains information relating to version of winpmem which was executed.
DumpIt
Linux / AVML
Last modified 2yr ago