Windows, Mac OSX and Linux Memory Dump How To

Dumping memory from an operating system can be complicated and is not built-in feature. You also have to keep in mind that memory dumps are a snapshot in time of what is in the memory. The memory is constantly changing every second so having the right tool can be the difference between getting the data you need and having it lost forever. There are various tools for each operating system to accomplish memory dumps. Some tools are easier to setup and use than others and some tools are portable apps. I have provided links at the bottom of this post to all the tools I cover within this post.

Windows Memory Dump

Method 1: Break Windows for Memory Dump Tool

Open run and enter “sysdm.cpl”
Select “Advance System Settings” on the left.
Select “Settings” under “Startup and recovery” section
Select “Complete memory dump” under “Write debugging information”
1. If “Complete memory dump is not an option please follow these steps.
2. Open run and enter “regedit”.
3. Go to HKEY_LOCAL_MAHCINE\SYSTEM\CurrentControlSet\Control\CrashControl.
4. In the right-hand panel double-click “CrashDumpEnabled” and set the value to “1”.
5. Reboot and follow steps 1 -4.
Must reboot computer for settings to take effect.
Now time to break windows, muhahahaha.
Quick dirty method
1. Open Powershell as Administrator.
2. Enter “get-process | stop-process -f”.
Better method
1. Open run and enter “regedit”.
2. Go to “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\i8042\Parameters”.
3. Create a new DWORD and enter “CrashOnCtrlScroll”.
4. Modify new DWORD and set value to “1”.
5. Reboot system
6. Now to crash your system by Holding “Ctrl” and pressing “Scroll Lock” twice.
Memory dump will be located in “C:\Windows\System32\MEMORY.DMP”.
The memory dumps from windows can be a lil buggy with volatility.

Method 2: Red Line Memory Dump Tool (Personal favorite)

Download the software, extract it, and install tool
Now keep in mind RedLine is meant to keep a low footprint meaning it creates a script to run from a USB drive. We are going to create to script and run it from the same machine.
Select “Create a Standard Collector”.
Select “Acquire memory image” at the top.
Enter a location to save the RedLine collector.
Open RedLine Collector folder and double-click “RunRedlineAudit”
The collection process takes close to 20-30mins. In a later post I will go in depth of the analysis part of the RedLine tool.

Method 3: Moonsol DumpIt Memory Dump Tool

Download the software and extract it.
Right-click “DumpIt” and select “Run as Administrator”
Enter “y” for the default path.
1. For 2GB capture it took roughly 5 secs.
Confirmation this software works with volatility.

Method 4: Belkasoft Memory Dump Tool

Download the software and extract it.
Right-click “RamCapture” and select “Run as Administrator”
Enter path to save memory dump in “Output path”
Select “Capture”
1. For 2GB capture it took roughly seconds to create a dump.
Confirmation this software works with volatility.

Screen Shot 2016-06-12 at 8.41.20 PM

Linux Memory Dump

Method 1: Lime kernel module

git clone https://github.com/504ensicsLabs/LiME.git
cd Lime/src
make
cd ~
sudo insmod ./LiME/src/lime.ko “path=<output of dump> format=lime [dio=0|1]”
1. path the output file for the memory dump
2. format is the type of dump
  1. raw – concatenates all System RAM ranges
  2. padded – pads all non-System RAM ranges with 0s
  3. lime – each range prepended with fixed-size header containing address space info
3. dio
  1. 0 – default, do not attempt Direct IO
  2. 1 – attempt to enable Direct IO

Mac OSX Memory Dump

Download software and extract it.
Cd to directory with “osxpmem.app” binary
kextload osxpmem.app/MacPmem.kext
1. Had issues with El Captain make sure you have the latest build.
./osxpmem.app/osxpmem -o /tmp/<name of dump>.aff4

Tools

Windows – Belkasoft 64-bit

Windows – Belkasoft 32-bit

Windows – Moonsols DumpIt – Only place I could find it

Windows – Mandiant RedLine

Mac OSX – Mac OSX pmem

Linux – LiME Kernel Module