Since this article was originally published, Magnet Forensics has acquired Comae and rebranded DumpIt. Magnet have also released a Linux variant of DumpIt (as an alternative to AVML). Source code is available here.

I've compiled two versions of Linux DumpIt (one for amd64, one for WSL2), available here.

Want to build it yourself?


$ sudo apt install build-essential liblzma-dev
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ git clone https://github.com/MagnetForensics/dumpit-linux.git
$ cd dumpit-linux
$ cargo build --release
$ cd target/release

Original Post

An incredibly lightweight and reliable tool is Comae's DumpIt. More information can be found on their website.

When you execute DumpIt.exe, unless specified, the destination will be the directoy from which it is executed. This is incredibly when conducting on-scene forensics. Executing DumpIt.exe from Windows Explorer, you'll be presented with the following dialogue.

Upon completion, there will be a .dmp file in the directory, as well as a txt file containing information about the acquisition such as the machine name, UTC time of acquisition, and SHA256 hash of the dump file.

You can also specify an output location if you wish;

dumpit.exe /O C:\path\to\location

A 32GB memory acquisition took less than 6 minutes.

This dump file can be processed with Volatility (either 2.6.1 or 3 beta).

Updated 11th June 2023 to reflect Comae's acquisition by Magnet Forensics, Linux variant of Dumpit, and link to GitHub for compiled versions of DumpIt (Linux)

Last updated