# WinPMem

If you're not using an EDR or similar tool to streamline acquisition, consider using something like Belkasoft's RAM capture or WinPmem.

Official site; <https://winpmem.velocidex.com/>

From elevated command prompt;

```
C:\winver
(note Windows version and build version, example Windows 10 1909 18363
F:\>winpmem.exe -o Windows10_1909_18363.aff4 -dd

-o denotes output location
-dd denotes verbosity
```

Default is to acquire as AFF4 which is a compressed container.&#x20;

Reference;\
<https://schatzforensic.com/insideout/2017/03/aff4-standard-v1-0-released/>\
<https://github.com/aff4>\
<http://www2.aff4.org/>

```
unzip Windows10_1909_18363.aff4
Directory: F:\Windows10_1909_18363
C%3A
PhysicalMemory
container.description
information.turtle
version.txt
```

C3A contains system files and drivers acquired during memory acquisition (to support analysis)\
PhysicalMemory is the physical memory stream\
container.description contains AFF4 container GUID\
information.turtle contains AFF4 stream data (drivers, physical memory, etc)\
version.txt contains information relating to version of winpmem which was executed.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/memory-forensics-1/acquisition/acquisition-with-winpmem.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.