SBM Labs

Cyber Security Collaboration Project

Memory dump analysis. WinPmem.
29 Jul 2015

You can get much useful information from operated system memory dump analysis during incident investigation: list of running processes, alive network connections, registry entries and so on. We are going to review on of the ways how to get memory dump on the remote host.

1. Connection to remote host.

First of all we need to check status of "Remote Registry" service on the remote host. It must be started.

We will use "PsExec" tool in order to connect to remote host. It is included in PsTools package. Also we need account with administrative rights on the remote host.

>PsExec.exe \\hostname -u domain\username -h cmd

You should use argument "-h" for running "cmd" with account's elevated rights.

2. Obtain memory dump of operated system.

Let's copy WimPmem tool to remote host. We are going to obtain raw physical memory so we need to use WinPmem v.1.6.2.

>xcopy \\hostname\share\filename .

Then we will run "winpmem" in order to get memory dump.

>winpmem_1.6.2.exe physical_memory.raw

We will review how to analyze memory dump with volatility tool in the next article.

Memory dump analysis. Volatility.