SOC OperationsIncident ResponseWindows ForensicsLinux ForensicsKQL Investigations

Acquire Triage Memory Image

1. Preparation

  • Understand the Goal: A triage memory image captures volatile data for quick analysis, not a full forensic memory dump (though the process is similar). Prioritize speed and minimal system impact.

  • Select a Tool: Choose a memory acquisition tool based on availability and system compatibility.

    • DumpIt: Free, simple, Windows-focused (from Comae/MoonSols).

    • WinPmem: Open-source, supports Windows, part of the Rekall framework.

    • Magnet RAM Capture: Free, user-friendly, Windows-only.

    • FTK Imager: Free, includes memory capture alongside disk imaging.

    • Belkasoft Live RAM Capturer: Free, lightweight, Windows-specific.

  • Requirements:

    • Administrative privileges on the target system.

    • External storage (e.g., USB drive) with enough space (RAM size + overhead, e.g., 8-16 GB for a typical system).

  • Output Location: Define a destination (e.g., D:\MemoryDump). Create it manually or via command:cmd

    mkdir D:\MemoryDump

2. Choose Acquisition MethodMemory capture tools typically produce a raw memory dump (.raw, .bin, or .dmp) suitable for triage analysis. Select based on your scenario:

  • Live System: Run the tool directly on the target.

  • No Forensic Image Support: These methods are for live systems only, not mounted disk images.

3. Acquire the Memory ImageBelow are detailed steps for popular tools. Use one based on your setup.Option 1: DumpIt

  • Download: Get DumpIt from the Comae website (free for non-commercial use).

  • Setup: Copy DumpIt.exe to a USB or the target system (e.g., D:\Tools\DumpIt.exe).

  • Capture:

    1. Open an admin Command Prompt or PowerShell.

    2. Run:cmd

      D:\Tools\DumpIt.exe /O D:\MemoryDump\MemoryImage_%COMPUTERNAME%_%DATE%.raw

      • /O: Specifies output path and filename (e.g., MemoryImage_PC1_20250226.raw).

    3. Confirm with Y when prompted.

  • Output: A raw memory file (size matches system RAM, e.g., 8 GB for 8 GB RAM).

  • Time: 1-5 minutes depending on RAM size and storage speed.

Option 2: WinPmem

  • Download: Obtain winpmem.exe from the Rekall GitHub or Velociraptor’s tools directory.

  • Setup: Place winpmem.exe on a USB (e.g., D:\Tools\winpmem.exe).

  • Capture:

    1. Open an admin Command Prompt.

    2. Run:cmd

      D:\Tools\winpmem.exe -o D:\MemoryDump\MemoryImage_%COMPUTERNAME%_%DATE%.raw

      • -o: Output file path.

      • Optional: Add --format raw for explicit raw format.

    3. Wait for completion (no prompt; watch the file size grow).

  • Output: Raw memory dump (.raw).

  • Time: 2-10 minutes.

Option 3: Magnet RAM Capture

  • Download: Free from Magnet Forensics’ website.

  • Setup: Run the installer or use the portable .exe on a USB (e.g., D:\Tools\MagnetRAMCapture.exe).

  • Capture:

    1. Launch MagnetRAMCapture.exe (needs admin rights).

    2. Set output: D:\MemoryDump\MemoryImage_%COMPUTERNAME%_%DATE%.raw.

    3. Click "Capture Memory."

  • Output: Raw memory file.

  • Time: 3-15 minutes, with a progress bar.

Option 4: FTK Imager

  • Download: Free from AccessData’s site.

  • Setup: Install or use the portable version (e.g., D:\Tools\FTKImager.exe).

  • Capture:

    1. Launch FTK Imager as admin.

    2. File > "Capture Memory."

    3. Set destination: D:\MemoryDump\MemoryImage_%COMPUTERNAME%_%DATE%.raw.

    4. Check "Include pagefile" (optional, increases size).

    5. Click "Capture Memory."

  • Output: Raw dump plus a .txt log.

  • Time: 5-20 minutes.

Option 5: Belkasoft Live RAM Capturer

  • Download: Free from Belkasoft’s website.

  • Setup: Extract to a USB (e.g., D:\Tools\BelkaRAMCapturer.exe).

  • Capture:

    1. Run BelkaRAMCapturer.exe as admin.

    2. Select output: D:\MemoryDump\MemoryImage_%COMPUTERNAME%_%DATE%.dmp.

    3. Click "Capture."

  • Output: Memory dump (.dmp).

  • Time: 2-10 minutes.

4. Enhance with PowerShell (Optional)PowerShell can’t capture memory but can automate tool execution and add metadata:powershell

$OutputPath = "D:\MemoryDump"
$Timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
New-Item -Path $OutputPath -ItemType Directory -Force

# Run DumpIt (example)
Start-Process -FilePath "D:\Tools\DumpIt.exe" -ArgumentList "/O $OutputPath\MemoryImage_$env:COMPUTERNAME_$Timestamp.raw" -Wait -NoNewWindow

# Add system info
Get-ComputerInfo | Export-Csv "$OutputPath\SystemInfo_$Timestamp.csv" -NoTypeInformation

5. Verify and Package

  • Check Output: Ensure the file exists and matches RAM size (e.g., dir D:\MemoryDump or Get-ChildItem $OutputPath).

  • Hash for Integrity:powershell

    Get-FileHash -Path "$OutputPath\MemoryImage_$env:COMPUTERNAME_$Timestamp.raw" -Algorithm SHA256 | Export-Csv "$OutputPath\MemoryHash_$Timestamp.csv"

  • Compress:powershell

    Compress-Archive -Path "$OutputPath\*" -DestinationPath "D:\MemoryTriage_$Timestamp.zip"

6. Analyze the Memory Image

  • Tools:

    • Volatility: Open-source, command-line (e.g., vol.py -f MemoryImage.raw --profile=Win10x64 pslist).

    • Rekall: Similar to Volatility, with WinPmem integration.

    • Autopsy: GUI, load the .raw file under "Add Data Source."

    • Magnet AXIOM: Commercial, supports memory analysis.

  • Key Artifacts:

    • Processes (pslist, pstree)

    • Network connections (netscan)

    • Loaded DLLs (dlllist)

    • Registry hives in memory (hivelist)

7. Tips and Considerations

  • Speed: Triage capture takes minutes (e.g., 1 GB/min on fast storage), ideal for rapid response.

  • Size: Plan for RAM size (e.g., 16 GB system = 16+ GB dump with pagefile).

  • Impact: Minimal, but tools load drivers—use on responsive systems only.

  • Stealth: Run from a USB to avoid writing to C:\.

  • Legal: Ensure authorisation; memory may contain sensitive data.

PreviousAcquire Triage Data Using PowershellNextAcquire Image Using FTK

Last updated