Memory Forensics: How to Capture Memory for Analysis

There are several ways to capture memory from a Windows machine for analysis, but want an easy one? I mean a really easy one? Then look no further than MoonSols “DumpIt“.

MoonSols, the creator of the ever popular “win32dd” and “win64dd” memory dump programs have combined both into a single executable that when executed creates a copy of physical memory into the current directory. Just throw DumpIt onto a USB drive or save it on your hard drive, double click it, select yes twice and before you know it you have a complete copy of your machine’s memory sitting on disk.

The only thing you need to make sure of, especially if using a USB drive is that it is large enough to hold the file that is created. The memory dump will be a little larger than the size of your installed RAM. So, for instance, a machine with 4GB RAM will produce about a 5 GB file.

Malware Analysts use memory dumps to analyze malicious software. Once you have the memory dump, you can perform some very interesting analysis on it, like viewing what processes and programs were running on the machine, and what network connections the system had.

You can even pull passwords from them, which we will look at next time.

** Part 2Memory Forensics: How to Pull Passwords from a Memory Dump

~ by D. Dieterle on November 3, 2011.

4 Responses to “Memory Forensics: How to Capture Memory for Analysis”

  1. […] time, we talked about a quick and easy way to get a memory dump on a Windows based PC. This time, we will cover pulling passwords out of captured memory […]

  2. […] time, we talked about a quick and easy way to get a memory dump on a Windows based PC. This time, we will cover pulling passwords out of captured memory […]

  3. […] Memory Forensics: How to Capture Memory for Analysis […]

  4. […] Cross-posted from Cyber Arms […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: