> For the complete documentation index, see [llms.txt](https://www.iblue.team/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.iblue.team/memory-forensics-1/acquisition/dumpit.md).

# DumpIt

Since this article was originally published, Magnet Forensics has acquired [Comae ](https://www.magnetforensics.com/blog/magnet-forensics-acquires-cybersecurity-software-firm-comae-technologies/)and rebranded DumpIt. Magnet have also released a Linux variant of DumpIt (as an alternative to AVML). Source code is [available here](https://github.com/MagnetForensics/dumpit-linux).

I've compiled two versions of Linux DumpIt (one for amd64, one for WSL2), [available here](https://github.com/deeFIR/dumpit-linux/releases/tag/v0.1.0).

<figure><img src="/files/fVM00Iw74N5ldjQzJYHV" alt=""><figcaption></figcaption></figure>

Want to build it yourself?

<https://www.rust-lang.org/tools/install>

```
$ sudo apt install build-essential liblzma-dev
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ git clone https://github.com/MagnetForensics/dumpit-linux.git
$ cd dumpit-linux
$ cargo build --release
$ cd target/release
```

**Original Post**

An incredibly lightweight and reliable tool is Comae's DumpIt. More information can be found on their [website](https://www.comae.com/dumpit/).

When you execute DumpIt.exe, unless specified, the destination will be the directoy from which it is executed. This is incredibly when conducting on-scene forensics. Executing DumpIt.exe from Windows Explorer, you'll be presented with the following dialogue.

![](/files/-MJQcei12PVkff_03u2f)

Upon completion, there will be a .dmp file in the directory, as well as a txt file containing information about the acquisition such as the machine name, UTC time of acquisition, and SHA256 hash of the dump file.

You can also specify an output location if you wish;

```
dumpit.exe /O C:\path\to\location
```

A 32GB memory acquisition took less than 6 minutes.

This dump file can be processed with Volatility (either 2.6.1 or 3 beta).

**Updated 11th June 2023** to reflect Comae's acquisition by Magnet Forensics, Linux variant of Dumpit, and link to GitHub for compiled versions of DumpIt (Linux)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://www.iblue.team/memory-forensics-1/acquisition/dumpit.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.