WinPmem can be deployed on remote systems through native applications such as Remote Desktop or PSExec. Once installed on the remote system, the WinPmem output can be piped to another system utilizing NetCat. For example, suppose that the incident response analyst is utilizing a system located at 192.168.0.56. If the analyst is able to access the compromised host via PSExec or RDS, they can establish a NetCat connection back to their machine by utilizing the following command:

C:/winpmem-2.1.exe - | nc 192.168.0.56 4455

The preceding command tells the system to perform the capture and send the output via NetCat to the incident response analyst workstation over port 4455. The drawback of this technique is that it requires access to the command prompt, as well as the installation of both NetCat and WinPmem. This may not be the best option if the incident response analyst is dealing with a system that is already suspected of being compromised.