From the course: Incident Response: Evidence Collection in Windows
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Acquiring a memory image in Windows in DumpIt
From the course: Incident Response: Evidence Collection in Windows
Acquiring a memory image in Windows in DumpIt
- [Instructor] Another method you can use to capture the memory of your victim system is to use the program DumpIt. Now, DumpIt is one of the tools that I had you install as part of your Trusted Tools toolkit. To use it, simply go into your Trusted Tools folder, find the t_DumpIt program, which should be close to the bottom of your list, and double-click it. Once you do that, it'll ask if you want to allow this app to make changes to your device, which means, can you write information to this D drive, this USB drive? And we'll say "yes." At this point, you're going to go ahead and say yes to proceed with the acquisition. As you can see on the screen, our path is going to be going to the D drive, the Trusted Tools folder, which is where we launched DumpIt from, and then this filename, DESKTOP-QDHQKBU, and that is just the workstation name you're collecting, dash the date, which in this case is 1653, and then .dmp, which is the…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
-
(Locked)
Evidence collection2m 12s
-
(Locked)
Volatile and nonvolatile data5m 45s
-
(Locked)
Acquiring a memory image in Windows2m 24s
-
(Locked)
Acquiring a memory image in Windows in DumpIt2m 8s
-
(Locked)
Using CryptCat and Tee3m 51s
-
(Locked)
Collecting the data/time of the victim2m 42s
-
(Locked)
Documenting the logged on users1m 22s
-
(Locked)
Documenting open network connections3m 11s
-
(Locked)
Documenting the running processes2m 24s
-
(Locked)
Documenting any shared files1m 11s
-
(Locked)
-
-
-
-
-