How to dump volatile memory on Windows systems?
My own shortlist
One of the first steps that you need to perform when you deal with the forensic analysis of a compromised machine is to make a copy of volatile memory.
This copy will be used for in-depth analysis using tools such as Volatility or Redline.
But, which tool should be used to make the acquisition of volatile memory?
Below my own shortlist.
DumpIt
DumpIt is a fusion of two trusted tools, win32dd and win64dd, combined into one one executable.
Simply double-click the DumpIt executable and allow the tool to run: the snapshot of the host’s physical memory will be taken and saved into the folder where the executable was located.
This tool is provided by Magnet Forensics.
FTK Imager
Can acquire live memory and paging file on 32bit and 64bit systems.
Runs on Windows 2003 and later versions
WinPmem
Part of Rekall Memory Analysis framework.
It supports Windows XP to Windows 10, both 32 and 64 bit architectures.