Make a live memory dump to analyze it

This section explains how to make a memory dump on Windows and Linux.

Make a memory dump on Windows

With DumpIt (you can find it here) :

$ DumpIt.exe

Then , you can analyse the result with volatility.

Make a memory dump on Linux

$ git clone https://github.com/504ensicsLabs/LiME
$ cd LiME/src
$ make
$ cd ~
$ sudo insmod ./LiME/src/lime-XXX.ko path=./mem.dmp format=lime
$ ls 
LiME	mem.dmp

Then, you can analyse the result with volatility. Do not forget to determine the correct profile before.

Written on June 3, 2020