# DumpIt

Since this article was originally published, Magnet Forensics has acquired [Comae ](https://www.magnetforensics.com/blog/magnet-forensics-acquires-cybersecurity-software-firm-comae-technologies/)and rebranded DumpIt. Magnet have also released a Linux variant of DumpIt (as an alternative to AVML). Source code is [available here](https://github.com/MagnetForensics/dumpit-linux).

I've compiled two versions of Linux DumpIt (one for amd64, one for WSL2), [available here](https://github.com/deeFIR/dumpit-linux/releases/tag/v0.1.0).

<figure><img src="/files/fVM00Iw74N5ldjQzJYHV" alt=""><figcaption></figcaption></figure>

Want to build it yourself?

<https://www.rust-lang.org/tools/install>

```
$ sudo apt install build-essential liblzma-dev
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ git clone https://github.com/MagnetForensics/dumpit-linux.git
$ cd dumpit-linux
$ cargo build --release
$ cd target/release
```

**Original Post**

An incredibly lightweight and reliable tool is Comae's DumpIt. More information can be found on their [website](https://www.comae.com/dumpit/).

When you execute DumpIt.exe, unless specified, the destination will be the directoy from which it is executed. This is incredibly when conducting on-scene forensics. Executing DumpIt.exe from Windows Explorer, you'll be presented with the following dialogue.

![](/files/-MJQcei12PVkff_03u2f)

Upon completion, there will be a .dmp file in the directory, as well as a txt file containing information about the acquisition such as the machine name, UTC time of acquisition, and SHA256 hash of the dump file.

You can also specify an output location if you wish;

```
dumpit.exe /O C:\path\to\location
```

A 32GB memory acquisition took less than 6 minutes.

This dump file can be processed with Volatility (either 2.6.1 or 3 beta).

**Updated 11th June 2023** to reflect Comae's acquisition by Magnet Forensics, Linux variant of Dumpit, and link to GitHub for compiled versions of DumpIt (Linux)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.iblue.team/memory-forensics-1/acquisition/dumpit.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.