Memory Acquisition using MoonSols - DumpIt.exe
DumpIt is a tiny free utility tool that is used to generate a physical memory dump of Windows machines. It works with both x86 and x64 machines. The raw memory dump is generated in the current directory; only a confirmation question is prompted before starting. This is perfect for deploying the executable on USB keys for quick incident response needs.
Why Memory Dump?
Volatile memory, or RAM, is used to store data currently used by a running
process: whether it is a user application or a system service. This type of memory is much quicker than a regular hard drive, but unlike files permanently stored on a drive(unless deleted), data from RAM may disappear instantly. At the time, it may store data crucial for your case, including passwords in raw format without encryption or encoding, decrypted data otherwise kept encrypted on a drive, decryption keys for various services, apps, and WDE, remote session data; chats in social networks; malware code; cryptocurrency transactions; various system info such as loaded registry branches; and so on.(source: https://belkasoft.com/ram-dumping-tool-selection)
From an incident response perspective, the volatile data residing inside the
system’s memory contains rich information such as passwords, credentials, network connections, malware intrusions, registry hives, and etc. that can be a valuable source of evidence and is not typically stored on the local hard disk. This is one of the investigator’s favorite data sources to perform digital forensics on, and knowing the right tool to dump memory is a must.
This is a GUI-based tool, which is easy to use.
After executing the DumpIt.exe tool, it will prompt with a question.
Hit “y” to proceed, then a live RAM capture will be dumped.
#note: This may take a while depending on the resources on your system you’re working on.