Memory Acquisition

More and more unlikely to need to request full memory image - instead we can use system fileS:

Live machine:

WinPMEM MagnetRamCapture Belkasoft-LiveRamCapture F-Response

Dead / imaged machine:

# Hibernation files: 
%SystemDrive%\hiberfil.sys

# Page and swap Files:
%SystemDrive%\pagefile.sys
%SystemDrive%\swapfile.sys

# Kernel-Mode dump file:
%SystemRoot%\MEMORY.dmp

PreviousPersistence & Lateral movement NextBaseliner

Last updated 1 year ago