How to dump volatile memory on Windows systems?
My own shortlist
One of the first steps that you need to perform when you deal with the forensic analysis of a compromised machine is to make a copy of volatile memory.
This copy will be used for in-depth analysis using tools such as Volatility or Redline.
But, which tool should be used to make the acquisition of volatile memory?
Below my own shortlist.
DumpIt is a fusion of two trusted tools, win32dd and win64dd, combined into one one executable.
Simply double-click the DumpIt executable and allow the tool to run: the snapshot of the host’s physical memory will be taken and saved into the folder where the executable was located.
This tool is a part of the Community edition of MoonSols Windows Memory Toolkit.
Can acquire live memory and paging file on 32bit and 64bit systems.
Runs on Windows 2003 and later versions
Part of Rekall Memory Analysis framework.
It supports Windows XP to Windows 8, both 32 and 64 bit architectures.