Analyzing Various Memory Capture Formats

In a world where there are so many choices for capturing memory and analyzing it, I felt there would be some benefit in compiling a list for quick reference.

FTK Imager
– Outputs to .mem
– Can be analyzed in Volatility
Vol.py –f –profile=

VMWare (.vmem)
– .vmem and .vmsm are created when a VM is suspended
– Can be analyzed with Volatility (.vmem and .vmsm have to be in the same directory) Vol.py –f –profile=

DumpIt
– Outputs to .raw
– Can be analyzed in Volatility
Vol.py –f –profile=

Hibernation file (hiberfile.sys)
– The File is created when a system is put into hibernation mode
– Located at the root of the C:\
– The file needs to be converted before using. It can be converted to .img using Volatility
Vol.py imagecopy –f hiberfile.sys –O –profile=
– After conversion to .img, it can be analyzed in Redline or Volatility
Vol.py –profile=

Mandiant Memoryze
– Outputs to .img
– Can be analyzed in Redline or Volatility
Vol.py –profile=

Crash Dumps
– Extension will be .dmp
– Will be written to C:\Windows\Minidump or C:\Windows by default
– Dumps can be forced to happen by adding the value called namedCrashOnCtrlScroll with a REG_DWORD value of 0x01 at HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Services\kbdhid\Parameters. After rebooting the machine, hold down the rightmost CTRL key and press the SCROLL LOCK key twice
– Can be analyzed with Volatility
Vol.py –profile= – Can be analyzed in Redline but must be converted to .img first
Vol.py imagecopy –f –O –profile=