Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Memory Dump Tools for Windows 7

Posted on 2012-08-23
5
Medium Priority
?
1,997 Views
Last Modified: 2012-08-26
Hi,

I'm looking for a tool that will create a memory dump of a machine's RAM. There are a few out there, but they don't seem to work on Windows 7.
0
Comment
Question by:pzkhan
  • 2
  • 2
5 Comments
 
LVL 13

Expert Comment

by:Xaelian
ID: 38323869
Do you want to create a memory dump of the entire system when he crashes?
Then you perform the following steps on this article:

http://www.symantec.com/business/support/index?page=content&id=HOWTO31321
0
 

Author Comment

by:pzkhan
ID: 38323876
No, more in real-time at will.
The idea behind this is that we know or suspect that a machine has been infected with malware and want to do a live memory dump and perform analysis on the memory.

The system has not crashed, it is still running.
0
 
LVL 13

Expert Comment

by:Xaelian
ID: 38323896
You can use VMMAP for a process memory dump. A total memory dump is not possible to create when you are working on your machine.

I think that this is what you want then. Otherwise, give some names of programs that can do it but not on Windows 7. So i can take a look at what you really mean.

http://technet.microsoft.com/en-in/sysinternals/dd535533%28en-us%29.aspx
0
 

Author Comment

by:pzkhan
ID: 38324539
At least on older versions of Windows, you can do a memory dump while the machine is still running. Tools such as Volatility are designed to perform the analysis. I used a tool called nigilant32 to create an "image" of the RAM while the machine is running on Windows XP.

I know that Windows 7 shut off some of the direct access paths to the RAM, but I would imagine that its still possible through some way...
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 38329454
Suggest you check out MoonSols Windows Memory Toolkit [1] but you probably need the Prof version later on. There is a "dumpit"[2] which is used to generate a physical memory dump of Windows machines. It works with both x86 (32-bits) and x64 (64-bits) machines.

[1] http://www.moonsols.com/windows-memory-toolkit/
[2] http://www.moonsols.com/wp-content/plugins/download-monitor/download.php?id=7

Another is memoryze[3] from Mandiant, the good thing id the o/p can be viewed using their audit viewer[4] as well.
[3]http://www.mandiant.com/resources/download/memoryze
[4]http://www.mandiant.com/resources/download/audit-viewer
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The term "Bad USB" is a buzz word that is usually used when talking about attacks on computer systems that involve USB devices. In this article, I will show what possibilities modern windows systems (win8.x and win10) offer to fight these attacks wi…
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question