WinPmem – Memory Acquisition Tool

Operating system memory acquisition is the first step when incident handler will be looking to analyze a system artifact. One of the useful tools that a user may run to acquire the memory of operating system is WinPmem. 

Analyzing system memory is very critical to the investigation process due to the information that are usually available in this part of the system.  The memory footprint may include processes loaded, Network connections to remote and local system and DLLs in use. 

WinPmem - Memory Acquisition Tool
WinPmem – Memory Acquisition Tool

WinPmem have the following features:

  • Supports all windows versions from WinXP SP2 to Windows 10 in both i386 andamd64 flavours.
  • Output formats include:
  • Raw memory images.
  • ELF Core dump files for use in rekall.
  • Output to stdout (in both the above formats) for piping through other tools(e.g. ssh, ewfacquirestream etc).
  • Memory acquisition using
  • MmMapIoSpace method.
  • \Device\PhysicalMemory and ZwMapViewOfSection method.
  • PTE Remapping technique (default)
  • Direct analysis of the running kernel using Rekall (Live memory analysis).
  • Optional Write support for manipulating kernel data structures from Rekall.

The memory acquisition can be conducted using an external USB drive that will be connected to the compromised system or a shared cloud storage that you store and contain all data you collect from affected system.

WinPmem can be used to dump memory from windows , linux or MacOS operating systems. you can read more and download this tool over here: https://github.com/google/rekall/releases

Share