WINPMEM - MEMORY ACQUISITION TOOL
WinPmem is a memory acquisition tool which will further used in digital forensics investigation. Operation system memory acquisition is the first set when incident handler will be looking to analyse a system artefact. WinPmem by default will use AFF4 to store the memory image. AFF4 is an advanced, open forensic imaging format. WinPmem is an open source memory acquisition tool from Rekall Forensics. It’s one of the most well-known memory acquisition tools worldwide and runs on every operating system.
Analyzing system memory is very critical to the investigation process due to the information that are usually available in this part of the system. The memory footprint may include processes loaded, Network connections to remote and local system and DLLs in use.
A memory dump is the process of taking all the information contained in RAM at a particular moment and writing it to storage. It’s an important part of the incident response and forensic investigation.
In this write-up using Windows, will show you how to create a memory dump with WinPmem and view the information with Volatility.
WinPmem can extract a live memory dump from a Windows machine using removable media as the program requires no installation to run. In a real-world environment, this memory dump would then be assessed on a Linux machine using Volatility.
STEPS T CREATE MEMORY DUMP
There are three steps involved to create memory dump, I will be demonstration would be to create a memory dump but for more details for the tolls on WinPmem here.
STEP 1: CAPTURE MEMORY DUMP
Using the below command, we can need to capture the memory.
./WinPmem-2.1.exe -o winmem.aff4
The -o option is to output a file to write to, while outputting to .aff4 is the default storage file captured by WinPmem. The aff4 file format stores files in containers, two of which are supported by WinPmem: ZipFile style and Directory style. If you capture the data in a .raw format, the file will act similarly to a ZipFile style but will not be able to be extracted or viewed in Volatility as required.
STEP 2: INSPECT THE CAPTURED DUMP
Once you’ve captured the memory dump you need to determine the name of the stream to export. To find this information run the following command:
./WinPmem-2.1.exe -V winmem.aff4
There is a section in the information that states the category memory. You’ll need this information as it appears in the heading at the end of the file name in order to extract the capture.
STEP 3: EXTRACT THE CAPTURE
Now it’s time to extract the data stream to be read with Volatility. Run the below command to output the .aff4 file to .raw.
WinPmem-2.1.exe --export PhysicalMemory --output winmem.raw winmem.aff4
With last final steps raw image is ready for further analysis. This can be used to give input for volatility and other digital forensic tools. To check if this file is valid we can run simple image info command from volatility to verify he image type.
python.exe .\volatility-master\vol.py -f winmem.raw imageinfo
The above command validates previously generated raw file matching with Windows OS this information can be leveraged to set profile.
The first step is figuring out what it is your requirement first. Adapting a good business partner with proper tools will makes fulfillment in usage. Think about all the past and take the ideas are better suited, CDA IT SOLUTIONS has vast technical and clients handling experience in vulnerability management services, asset security and protection services.