search

Memory Acquisition

More and more unlikely to need to request full memory image - instead we can use system fileS:

Live machine:

WinPMEMarrow-up-right MagnetRamCapturearrow-up-right Belkasoft-LiveRamCapturearrow-up-right F-Responsearrow-up-right

Dead / imaged machine: 

# Hibernation files: 
%SystemDrive%\hiberfil.sys

# Page and swap Files:
%SystemDrive%\pagefile.sys
%SystemDrive%\swapfile.sys

# Kernel-Mode dump file:
%SystemRoot%\MEMORY.dmp
PreviousPersistence & Lateral movementNextBaseliner

Last updated