Memory Acquisition using Velocidex Enterprise - WinPmem

WinPmem is a physical memory acquisition tool allowing investigator to recover and analyze valuable artifacts that are often only found in memory.

WinPmem has its following features:

      • Open Source
      • Support for WinXP – Win10, x86, x64. The WDK7600 can be used to include WinXP support. As default, the provided WinPmem executables will be compiled with WDK10, supporting Win7 – Win10, and feature more modern code.
      • Three different independent method to create memory dump. One method should always work even when faced with kernel mode rootkits.
      • Raw memory dump image support.
      • A read device interface is used instead of writing the image from the kernel like some other imagers. This allows us to have complex userspace imager (e.g. copy across network, hash etc), as well as analysis on the live system(e.g. can be run directly on the device).

In an incident response perspective, the volatile data residing inside the system’s memory contains rich information such as passwords, credentials, network connection, malware intrusions, registry hives and etc that can be a valuable source as an evidence and not typically stored on the local hard disk. This is one of the investigator’s favorite data source to perform digital forensics and knowing the right tool to dump memory is a must.