From 85883966455fd81c56d1f312c34d95de4f6b3b51 Mon Sep 17 00:00:00 2001 From: Martin Willing Date: Mon, 26 Sep 2022 08:36:19 +0200 Subject: [PATCH] Update README.md --- README.md | 89 +++++++++++++++++++++++++++++++++++++++++-------------- 1 file changed, 67 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 6c4df41..c663dba 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,9 @@ Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapsho Features: * Checks for Hostname and Physical Memory Size before starting memory acquisition * Checks if you have enough free disk space to save memory dump file -* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM +* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture, Belkasoft Live RAM Capturer and WinPMEM * Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab +* Pagefile Collection w/ [CyLR](https://github.com/orlikoski/CyLR) - Live Response Collection tool by Alan Orlikoski and Jason Yegge * Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector * Collects BitLocker Recovery Key * Checks for installed Endpoint Security Tools (AntiVirus and EDR) @@ -23,7 +24,7 @@ https://www.magnetforensics.com/ Download the latest version of **Collect-MemoryDump** from the [Releases](https://github.com/evild3ad/Collect-MemoryDump/releases/latest) section. ## Usage -.\Collect-MemoryDump.ps1 [-Tool] [--skip] +.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile] Example 1 - Raw Physical Memory Snapshot .\Collect-MemoryDump.ps1 -DumpIt @@ -31,46 +32,90 @@ Example 1 - Raw Physical Memory Snapshot Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to [Comae Investigation Platform](https://www.comae.com/) .\Collect-MemoryDump.ps1 -Comae -Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit). +Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit). -![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/01.png) +Example 3 - Raw Physical Memory Snapshot and Pagefile Collection → [MemProcFS](https://github.com/ufrisk/MemProcFS) +.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile + +![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/01.png) **Fig 1:** Help Message -![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/02.png) +![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/02.png) **Fig 2:** Check Available Space -![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/03.png) +![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/03.png) **Fig 3:** Automated Creation of Windows Memory Snapshot w/ DumpIt -![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/04.png) +![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/04.png) **Fig 4:** Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture -![SkipCompressing](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/05.png) -**Fig 5:** The time-consuming task of compressing the memory snapshot can be skipped (if needed) +![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/05.png) +**Fig 5:** Automated Creation of Windows Memory Snapshot w/ WinPMEM -![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/06.png) -**Fig 6:** Automated Creation of Windows Memory Snapshot w/ WinPMEM +![Belkasoft](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/06.png) +**Fig 6:** Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer -![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/07.png) +![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/07.png) **Fig 7:** Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump) -![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/08.png) -**Fig 8:** Message Box +![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/08.png) +**Fig 8:** Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR -![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/09.png) -**Fig 9:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt +![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/09.png) +**Fig 9:** Message Box -![Directories](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/10.png) -**Fig 10:** Output Directories +![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/10.png) +**Fig 10:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt -![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/11.png) -**Fig 11:** Memory Snapshot (in a forensically sound manner) +![OutputDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/11.png) +**Fig 11:** Output Directories -![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/12.png) -**Fig 12:** Collected System Information +![MemoryDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/12.png) +**Fig 12:** Memory Directories (WinPMEM and Pagefile) + +![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/13.png) +**Fig 13:** Memory Snapshot (in a forensically sound manner) + +![Pagefile](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/14.png) +**Fig 14:** Pagefile Collection + +![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/15.png) +**Fig 15:** Collected System Information + +## Dependencies +7-Zip 22.01 Standalone Console (2022-07-15) +https://www.7-zip.org/download.html + +Belkasoft Live RAM Capturer (2018-10-22) +https://belkasoft.com/ram-capturer + +DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit +https://magnetidealab.com/ +https://beta.comae.tech/ +https://www.magnetforensics.com/blog/how-to-get-started-with-comae/ + +CyLR 3.0 (2021-02-03) +https://github.com/orlikoski/CyLR + +Magnet Encrypted Disk Detector v3.1.0 (2022-06-19) +https://www.magnetforensics.com/resources/encrypted-disk-detector/ +https://support.magnetforensics.com/s/free-tools + +Magnet RAM Capture v1.2.0 (2019-07-24) +https://www.magnetforensics.com/resources/magnet-ram-capture/ +https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools + +PsLoggedOn v1.35 (2016-06-29) +https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon + +WinPMEM 4.0 RC2 (2020-10-12) +https://github.com/Velocidex/WinPmem/releases ## Links +[Belkasoft Live RAM Capturer](https://belkasoft.com/ram-capturer) [Comae-Toolkit incl. DumpIt](https://www.magnetforensics.com/blog/how-to-get-started-with-comae/) +[CyLR - Live Response Collection Tool](https://github.com/orlikoski/CyLR) +[MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/) [MAGNET Ram Capture](https://www.magnetforensics.com/resources/magnet-ram-capture/) [WinPMEM](https://github.com/Velocidex/WinPmem)