Skip to content

Commit

Permalink
Update README.md
Browse files Browse the repository at this point in the history
  • Loading branch information
evild3ad authored Sep 26, 2022
1 parent 3aa95e2 commit 8588396
Showing 1 changed file with 67 additions and 22 deletions.
89 changes: 67 additions & 22 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,9 @@ Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapsho
Features:
* Checks for Hostname and Physical Memory Size before starting memory acquisition
* Checks if you have enough free disk space to save memory dump file
* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM
* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture, Belkasoft Live RAM Capturer and WinPMEM
* Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
* Pagefile Collection w/ [CyLR](https://github.com/orlikoski/CyLR) - Live Response Collection tool by Alan Orlikoski and Jason Yegge
* Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
* Collects BitLocker Recovery Key
* Checks for installed Endpoint Security Tools (AntiVirus and EDR)
Expand All @@ -23,54 +24,98 @@ https://www.magnetforensics.com/
Download the latest version of **Collect-MemoryDump** from the [Releases](https://github.com/evild3ad/Collect-MemoryDump/releases/latest) section.

## Usage
.\Collect-MemoryDump.ps1 [-Tool] [--skip]
.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile]

Example 1 - Raw Physical Memory Snapshot
.\Collect-MemoryDump.ps1 -DumpIt

Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to [Comae Investigation Platform](https://www.comae.com/)
.\Collect-MemoryDump.ps1 -Comae

Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).

![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/01.png)
Example 3 - Raw Physical Memory Snapshot and Pagefile Collection → [MemProcFS](https://github.com/ufrisk/MemProcFS)
.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile

![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/01.png)
**Fig 1:** Help Message

![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/02.png)
![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/02.png)
**Fig 2:** Check Available Space

![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/03.png)
![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/03.png)
**Fig 3:** Automated Creation of Windows Memory Snapshot w/ DumpIt

![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/04.png)
![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/04.png)
**Fig 4:** Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture

![SkipCompressing](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/05.png)
**Fig 5:** The time-consuming task of compressing the memory snapshot can be skipped (if needed)
![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/05.png)
**Fig 5:** Automated Creation of Windows Memory Snapshot w/ WinPMEM

![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/06.png)
**Fig 6:** Automated Creation of Windows Memory Snapshot w/ WinPMEM
![Belkasoft](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/06.png)
**Fig 6:** Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer

![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/07.png)
![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/07.png)
**Fig 7:** Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)

![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/08.png)
**Fig 8:** Message Box
![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/08.png)
**Fig 8:** Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR

![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/09.png)
**Fig 9:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt
![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/09.png)
**Fig 9:** Message Box

![Directories](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/10.png)
**Fig 10:** Output Directories
![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/10.png)
**Fig 10:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt

![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/11.png)
**Fig 11:** Memory Snapshot (in a forensically sound manner)
![OutputDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/11.png)
**Fig 11:** Output Directories

![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/12.png)
**Fig 12:** Collected System Information
![MemoryDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/12.png)
**Fig 12:** Memory Directories (WinPMEM and Pagefile)

![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/13.png)
**Fig 13:** Memory Snapshot (in a forensically sound manner)

![Pagefile](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/14.png)
**Fig 14:** Pagefile Collection

![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/15.png)
**Fig 15:** Collected System Information

## Dependencies
7-Zip 22.01 Standalone Console (2022-07-15)
https://www.7-zip.org/download.html

Belkasoft Live RAM Capturer (2018-10-22)
https://belkasoft.com/ram-capturer

DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit
https://magnetidealab.com/
https://beta.comae.tech/
https://www.magnetforensics.com/blog/how-to-get-started-with-comae/

CyLR 3.0 (2021-02-03)
https://github.com/orlikoski/CyLR

Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)
https://www.magnetforensics.com/resources/encrypted-disk-detector/
https://support.magnetforensics.com/s/free-tools

Magnet RAM Capture v1.2.0 (2019-07-24)
https://www.magnetforensics.com/resources/magnet-ram-capture/
https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools

PsLoggedOn v1.35 (2016-06-29)
https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon

WinPMEM 4.0 RC2 (2020-10-12)
https://github.com/Velocidex/WinPmem/releases

## Links
[Belkasoft Live RAM Capturer](https://belkasoft.com/ram-capturer)
[Comae-Toolkit incl. DumpIt](https://www.magnetforensics.com/blog/how-to-get-started-with-comae/)
[CyLR - Live Response Collection Tool](https://github.com/orlikoski/CyLR)
[MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/)
[MAGNET Ram Capture](https://www.magnetforensics.com/resources/magnet-ram-capture/)
[WinPMEM](https://github.com/Velocidex/WinPmem)

Expand Down

0 comments on commit 8588396

Please sign in to comment.