DumpIt
An incredibly lightweight and reliable tool is Comae's DumpIt. More information can be found on their website.
When you execute DumpIt.exe, unless specified, the destination will be the directoy from which it is executed. This is incredibly when conducting on-scene forensics. Executing DumpIt.exe from Windows Explorer, you'll be presented with the following dialogue.
Upon completion, there will be a .dmp file in the directory, as well as a txt file containing information about the acquisition such as the machine name, UTC time of acquisition, and SHA256 hash of the dump file.
You can also specify an output location if you wish;
dumpit.exe /O C:\path\to\location
A 32GB memory acquisition took less than 6 minutes.
This dump file can be processed with Volatility (either 2.6.1 or 3 beta).
Last modified 2yr ago