Digital Forensics & Incident Response
  • Welcome
  • General Notes
    • Azure Blob storage with NGINX proxy
    • Install and Configure ZeroTier client
    • S3FS Fuse and MinIO
    • Enable nested VT-X/AMD-V
    • mitm proxy
    • Exploring Volume Shadow Copies Manually
    • Resize VMDK/VDI
    • Resize VMDK on ESXi
    • Convert raw to vmdk
    • Favicon hashing and hunting with Shodan
    • WinRM/RemotePS
    • MinIO/S3/R2 ghost files
    • Mount E01 containing VMDK/XFS from RHEL system
    • Disk images for various filesystems and configurations
      • ext4 with LVM and RAID5 (3 disks)
      • ZFS
      • UFS, FFS, BTRFS, XFS
      • ext4, LVM, and LUKS1/LUKS2
      • NTFS, FAT32, with BitLocker
      • NTFS, FAT32, exFAT with TrueCrypt, VeraCrypt
    • VirtualBox adapters greyed out
    • Exporting SQLite blob data from standalone SQLite database using command line tools
  • Microsoft Defender KQL
    • Introduction to KQL
  • Windows Forensics
    • PsExec
      • PsExec and NTUSER data
    • Security Patch/KB Install Date
  • Linux Forensics
    • Inspecting RPM/DEB packages
    • Common Locations
  • ESXi Forensics
    • Mount external USB device in ESXi hypervisor
    • Understanding ESXi
      • Partitions / Volumes
      • ESXi console / shell
      • Guest Virtual Machines
    • General Notes
    • Triage and Imaging
    • ESXi VMFS Exploration
    • Export OVF from ESXi using OVF Tool
    • Identification, acquisition, and examination of iSCSI LUNs and VMFS datastores
  • Memory Forensics
    • Volatility
      • Volatility3 core commands
      • Build Custom Linux Profile for Volatility
      • Generate custom profile using btf2json
      • Banners, isfinfo, and custom profiles
      • Volatility2 core commands
      • 3rd Party Plugins
    • Acquisition
      • ESXi / VMware Workstation snapshots
      • DumpIt
      • WinPMem
      • Linux / AVML
  • Incident Response
    • Ivanti Connect Secure Auth Bypass and Remote Code Authentication CVE-2024-21887
    • VirusTotal & hash lists
    • Unix-like Artifacts Collector (UAC)
      • Setup MinIO (object storage)
      • Create S3 pre-signed URL
      • UAC and pre-signed URLs
    • Acquiring Linux VPS via SSH
    • AVML dump to SMB / AWS
    • China Chopper webshell
    • Logging Powershell activities
    • Compromised UniFi Controller
    • AnyDesk Remote Access
    • Mounting UFS VMDK from NetScaler/Citrix ADC
  • iOS Forensics
    • Checkm8 / checkra1n acquisitions/extractions
  • CTF / Challenges
    • 13Cubed Linux memory forensics
    • Compromised Windows Server 2022 (simulation)
      • FTK Imager
      • Autopsy Forensics
      • Plaso
      • Events Ripper
      • EZ tools
    • DEFCON 2019 forensics
    • Tomcat shells
    • Magnet Weekly CTF
      • Magnet CTF Week 0
      • Magnet CTF Week 1
    • DFIR Madness CTF
      • Case 001 - Szechuan Sauce
  • Log Files
    • Windows
      • Generating Log Timelines
  • Malware Analysis
    • Identifying UPX packed ELF, decompressing, fixing, and analysing Linux malware
    • PDF Analysis
  • Walking the VAD tree
  • OpenCTI
    • What is CTI/OpenCTI?
    • Setting up OpenCTI
    • Container Management
    • Configure Connectors
  • Vulnerability Management
    • Setting Up Nessus (Essentials)
    • Troubleshooting
  • Privacy
Powered by GitBook
On this page

Was this helpful?

  1. Memory Forensics
  2. Acquisition

DumpIt

PreviousESXi / VMware Workstation snapshotsNextWinPMem

Last updated 2 years ago

Was this helpful?

Since this article was originally published, Magnet Forensics has acquired and rebranded DumpIt. Magnet have also released a Linux variant of DumpIt (as an alternative to AVML). Source code is .

I've compiled two versions of Linux DumpIt (one for amd64, one for WSL2), .

Want to build it yourself?

$ sudo apt install build-essential liblzma-dev
$ curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
$ git clone https://github.com/MagnetForensics/dumpit-linux.git
$ cd dumpit-linux
$ cargo build --release
$ cd target/release

Original Post

When you execute DumpIt.exe, unless specified, the destination will be the directoy from which it is executed. This is incredibly when conducting on-scene forensics. Executing DumpIt.exe from Windows Explorer, you'll be presented with the following dialogue.

Upon completion, there will be a .dmp file in the directory, as well as a txt file containing information about the acquisition such as the machine name, UTC time of acquisition, and SHA256 hash of the dump file.

You can also specify an output location if you wish;

dumpit.exe /O C:\path\to\location

A 32GB memory acquisition took less than 6 minutes.

This dump file can be processed with Volatility (either 2.6.1 or 3 beta).

Updated 11th June 2023 to reflect Comae's acquisition by Magnet Forensics, Linux variant of Dumpit, and link to GitHub for compiled versions of DumpIt (Linux)

An incredibly lightweight and reliable tool is Comae's DumpIt. More information can be found on their .

https://www.rust-lang.org/tools/install
website
Comae
available here
available here