Personally identifiable information contained in the C:\windows\MEMORY.DMP file

How much personally identifiable information is contained in the C:\windows\MEMORY.DMP file?

I would like to upload the C:\windows\MEMORY.DMP file for a Windows 10 computer that keeps blue screening but first I need to know what personally identifiable information such as user names, company names, product keys, etc. is included within this file that will be able to be viewed by those who analyze this file?
IT GuyNetwork EngineerAsked:
Who is Participating?
 
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:
@John Hurst:  You might find some of these tools interesting:  http://www.forensicswiki.org/wiki/Tools:Memory_Analysis
0
 
Shahnawaz AhmedConnect With a Mentor Technical Services SpecialistCommented:
Hi,

Complete memory dumo containes MACHINE INFORMATION WHATever is being running at the time of crash. User name yes it will be there but password i never see it containes. Also application runnning and being executed in the memory. No product key but domain name and computer name + User name can be found
0
 
JohnBusiness Consultant (Owner)Commented:
No. I just took a random DMP (from here) and opened it with UltraEdit in HEX mode. Folder names and Windows OS details but no personally identifiable information. Its purpose is to record crash details and not personal stuff.
0
Cloud Class® Course: Certified Penetration Testing

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

 
Lee W, MVPConnect With a Mentor Technology and Business Process AdvisorCommented:
A memory dump could contain anything - it's whatever is in memory.  Have notepad open with a list of users?  Excel?  On a web page with your product key displayed?  Full and Mini dumps vary but unless you're an expert debugger that's looked at thousands of dumps, I wouldn't be making conclusive statements about what is and is not in a dump.
1
 
Gary PattersonConnect With a Mentor VP Technology / Senior Consultant Commented:
I agree with Lee W:  

Dump can contain virtually anything, depending on what programs are in use at the time, or were recently in use.  

In forensic exam of systems, I've seen user IDs, passwords, URLs, hashed passwords, user names, social security numbers, company names, HIPAA-PHI, PCI-PII, encoded strings - all sorts of confidential information (CI).  Dump can also contain images and partial images containing CI, documents and partial documents containing CI, and more - much of which is binary data that would not be evident on casual inspection in an editor, but is easily recoverable using appropriate tools.

It is never safe to provide a dump like this from a production system that contains CI to an un-trusted 3rd party.  Either engage a trusted 3rd party, or reproduce the problem on a "clean" machine that doesn't contain real data and submit that "clean" dump to the untrusted vendor.
0
 
JohnBusiness Consultant (Owner)Commented:
While I agree it is possible:

(a) I have not seen any looking at several posted DMP files.
(b) It would be remarkably hard to find because the data is using all 8 bits of a byte meaning a HEX editor cannot make any sense out of it.

People post DMP files here all the time for years and I have not seen any outcome from that.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.