WinPmem - Memory Acquisition Tool

Blog post

WINPMEM - MEMORY ACQUISITION TOOL

  • CDA IT Solutions

WinPmem is a memory acquisition tool which will further used in digital forensics investigation. Operation system memory acquisition is the first set when incident handler will be looking to analyse a system artefact. WinPmem by default will use AFF4 to store the memory image. AFF4 is an advanced, open forensic imaging format. WinPmem is an open source memory acquisition tool from Rekall Forensics. It’s one of the most well-known memory acquisition tools worldwide and runs on every operating system.

Analyzing system memory is very critical to the investigation process due to the information that are usually available in this part of the system. The memory footprint may include processes loaded, Network connections to remote and local system and DLLs in use.

A memory dump is the process of taking all the information contained in RAM at a particular moment and writing it to storage. It’s an important part of the incident response and forensic investigation.

In this write-up using Windows, will show you how to create a memory dump with WinPmem and view the information with Volatility.

WinPmem can extract a live memory dump from a Windows machine using removable media as the program requires no installation to run. In a real-world environment, this memory dump would then be assessed on a Linux machine using Volatility.

Vinodkumar Domatoti

STEPS T CREATE MEMORY DUMP

There are three steps involved to create memory dump, I will be demonstration would be to create a memory dump but for more details for the tolls on WinPmem here.

WinPmem
STEP 1: CAPTURE MEMORY DUMP

Using the below command, we can need to capture the memory.

./WinPmem-2.1.exe -o winmem.aff4

The -o option is to output a file to write to, while outputting to .aff4 is the default storage file captured by WinPmem. The aff4 file format stores files in containers, two of which are supported by WinPmem: ZipFile style and Directory style. If you capture the data in a .raw format, the file will act similarly to a ZipFile style but will not be able to be extracted or viewed in Volatility as required.

STEP 2: INSPECT THE CAPTURED DUMP

Once you’ve captured the memory dump you need to determine the name of the stream to export. To find this information run the following command:

./WinPmem-2.1.exe -V winmem.aff4

There is a section in the information that states the category memory. You’ll need this information as it appears in the heading at the end of the file name in order to extract the capture.

winpmem-bg
STEP 3: EXTRACT THE CAPTURE

Now it’s time to extract the data stream to be read with Volatility. Run the below command to output the .aff4 file to .raw.

WinPmem-2.1.exe --export PhysicalMemory --output winmem.raw winmem.aff4

With last final steps raw image is ready for further analysis. This can be used to give input for volatility and other digital forensic tools. To check if this file is valid we can run simple image info command from volatility to verify he image type.

python.exe .\volatility-master\vol.py -f winmem.raw imageinfo

acquisition

The above command validates previously generated raw file matching with Windows OS this information can be leveraged to set profile.


Conclusion:

The first step is figuring out what it is your requirement first. Adapting a good business partner with proper tools will makes fulfillment in usage. Think about all the past and take the ideas are better suited, CDA IT SOLUTIONS has vast technical and clients handling experience in vulnerability management services, asset security and protection services.

Comments(1)

  1. profile-pic

    Sudharshan Reddy

    February 10, 2021

    very interesting , good job and thanks for sharing such a good information

Leave a Reply

latest articles

blog-1

Best way to deal with negative reviews online

The impact of Negative online reviews can affect and challenge your business. The expanding popularity of social media and websites review implies organizations should be more aware than any time in recent of what customers are saying about them online.

blog-3

WINPMEM - MEMORY ACQUISITION TOOL

WinPmem is a memory acquisition tool which will further used in digital forensics investigation. Operation system memory acquisition is the first set when incident handler will be looking to analyse a system artefact.