Obtaining Memory Samples

Tools for turned on machines

FTK Imager - https://accessdata.com/product-download/ftk-imager-version-4-2-0
Redline - https://www.fireeye.com/services/freeware/redline.html - Requires registration but Redline has a very nice GUI)
DumpIt.exe
win32dd.exe / win64dd.exe - Has fantastic psexec support, great for IT departments if your EDR (Endpoint Detection and Response) solution doesn't support this.

These tools will typically output a .raw file which contains an image of the system memory.

Turned off machines

Windows

%SystemDrive%/hiberfil.sys

hiberfil.sys, better known as the Windows hibernation file contains a compressed memory image from the previous boot.

Virtual machines

Here's a quick sampling of the memory capture process/file containing a memory image for different virtual machine hypervisors:

VMware - .vmem file
Hyper-V - .bin file
Parallels - .mem file
VirtualBox - .sav file *This is only a partial memory file. You'll need to dump memory like a normal bare-metal system for this hypervisor

These files can often be found simply in the data store of the corresponding hypervisor and often can be simply copied without shutting the associated virtual machine off. This allows for virtually zero disturbance to the virtual machine, preserving it's forensic integrity.

PreviousRadare2 NextVolatility

Last updated 5 years ago

Was this helpful?