Memory forensics is becoming an essential aspect of digital forensics and incident response. Memory has plenty of useful information for incident handlers such as open files, network connections and encryption keys, Active logins, registry information, malware etc. When a system is believed to have been compromised or infected, the investigator needs a convenient way to take a memory snapshot of the host. Dumpit is a One-Click Windows Memory Acquisition tool. This tool is a part of the free Comae Memory Toolkit.
It is a fusion of two trusted tools, win32dd and win64dd, combined into one executable. provided to a non-technical user using a removable USB drive. The person needs to simply double-click the DumpIt executable and allow the tool to run. It will then take the snapshot of the host’s physical memory and save it to the folder where the DumpIt executable was located.
DumpIt provides a convenient way of obtaining a memory image of a Windows system even if the investigator is not physically sitting in front of the target computer. It’s so easy to use, even a naive user can do it. It’s not appropriate for all scenarios, but it will definitely make memory acquisition easier in many situations.
The memory accusation can be performed with these simple steps:
- Insert the USB drive.
- Double click on Dumpit.exe
- Type “y” to put the tool for processing.
- After few minutes the image will be ready on the USB drive as the computer name-date-time.raw, As you can see the image below
In the next post, we will discuss the .raw dump analysis with different tools like WinHex, Dart etc.