From the course: Incident Response: Evidence Collection in Windows

Unlock the full course today

Join today to access over 22,600 courses taught by industry experts or purchase this course individually.

Acquiring a memory image in Windows in DumpIt

Acquiring a memory image in Windows in DumpIt

From the course: Incident Response: Evidence Collection in Windows

Start my 1-month free trial

Acquiring a memory image in Windows in DumpIt

- [Instructor] Another method you can use to capture the memory of your victim system is to use the program DumpIt. Now, DumpIt is one of the tools that I had you install as part of your Trusted Tools toolkit. To use it, simply go into your Trusted Tools folder, find the t_DumpIt program, which should be close to the bottom of your list, and double-click it. Once you do that, it'll ask if you want to allow this app to make changes to your device, which means, can you write information to this D drive, this USB drive? And we'll say "yes." At this point, you're going to go ahead and say yes to proceed with the acquisition. As you can see on the screen, our path is going to be going to the D drive, the Trusted Tools folder, which is where we launched DumpIt from, and then this filename, DESKTOP-QDHQKBU, and that is just the workstation name you're collecting, dash the date, which in this case is 1653, and then .dmp, which is the…

Contents