DumpIt is an excellent memory acquisition tool that allows you to dump physical memory on Windows. It supports the acquisition of both 32-bit (x86) and 64-bit (x64) machines. DumpIt is part of a toolkit called the Comae memory toolkit, which consists of various standalone tools that assist with memory acquisition and conversion between different file formats. To download the latest copy of the Comae memory toolkit, you need to create an account by registering on https://my.comae.io. Once the account is created, you can log in and download the latest copy of the Comae memory toolkit.
After downloading the Comae toolkit, extract the archive, and navigate to the 32-bit or 64-bit directory, depending on whether you want to dump the memory of a 32-bit or 64-bit machine. The directory consists of various files, including DumpIt.exe. In this section, we will mainly focus on how to use DumpIt to dump the memory. If you are interested in understanding the functionality of other tools in the directory, read the readme.txt file.
The easiest method to acquire memory using DumpIt is to right-click on the DumptIt.exe file and select Run as administrator. By default, DumpIt dumps the memory to a file as a Microsoft Crash Dump (with a .dmp extension), which can then be analyzed with Memory Analysis tools such as Volatility (which will be covered next) or by using a Microsoft debugger such as WinDbg.
You can also run DumpIt from the command line; this provides you with multiple options. To display different options, run cmd.exe as an Administrator, navigate to the directory containing DumpIt.exe, and type the following command:
C:Comae-Toolkit-3.0.20180307.1x64>DumpIt.exe /?
DumpIt 3.0.20180307.1
Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com>
Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io>
Usage: DumpIt [Options] /OUTPUT <FILENAME>
Description:
Enables users to create a snapshot of the physical memory as a local file.
Options:
/TYPE, /T Select type of memory dump (e.g. RAW or DMP) [default: DMP]
/OUTPUT, /O Output file to be created. (optional)
/QUIET, /Q Do not ask any questions. Proceed directly.
/NOLYTICS, /N Do not send any usage analytics information to Comae Technologies. This is used to
improve our services.
/NOJSON, /J Do not save a .json file containing metadata. Metadata are the basic information you will
need for the analysis.
/LIVEKD, /L Enables live kernel debugging session.
/COMPRESS, /R Compresses memory dump file.
/APP, /A Specifies filename or complete path of debugger image to execute.
/CMDLINE, /C Specifies debugger command-line options.
/DRIVERNAME, /D Specifies the name of the installed device driver image.
To acquire the memory of the Microsoft Crash dump from the command line, and to save the output to a file name of your choice, use the /o or /OUTPUT option, as follows:
C:Comae-Toolkit-3.0.20180307.1x64>DumpIt.exe /o memory.dmp
DumpIt 3.0.20180307.1
Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com>
Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io>
Destination path: ??C:Comae-Toolkit-3.0.20180307.1x64memory.dmp
Computer name: PC
--> Proceed with the acquisition ? [y/n] y
[+] Information:
Dump Type: Microsoft Crash Dump
[+] Machine Information:
Windows version: 6.1.7601
MachineId: A98B4D56-9677-C6E4-03F5-902A1D102EED
TimeStamp: 131666114153429014
Cr3: 0x187000
KdDebuggerData: 0xfffff80002c460a0
Current date/time: [2018-03-27 (YYYY-MM-DD) 8:03:35 (UTC)]
+ Processing... Done.
Acquisition finished at: [2018-03-27 (YYYY-MM-DD) 8:04:57 (UTC)]
Time elapsed: 1:21 minutes:seconds (81 secs)
Created file size: 8589410304 bytes (8191 Mb)
Total physical memory size: 8191 Mb
NtStatus (troubleshooting): 0x00000000
Total of written pages: 2097022
Total of inacessible pages: 0
Total of accessible pages: 2097022
SHA-256: 3F5753EBBA522EF88752453ACA1A7ECB4E06AEA403CD5A4034BCF037CA83C224
JSON path: C:Comae-Toolkit-3.0.20180307.1x64memory.json
To acquire the memory as a raw memory dump instead of the default Microsoft crash dump, you can specify that with the /t or /TYPE option, as follows:
C:Comae-Toolkit-3.0.20180307.1x64>DumpIt.exe /t RAW
DumpIt 3.0.20180307.1
Copyright (C) 2007 - 2017, Matthieu Suiche <http://www.msuiche.net>
Copyright (C) 2012 - 2014, MoonSols Limited <http://www.moonsols.com>
Copyright (C) 2015 - 2017, Comae Technologies FZE <http://www.comae.io>
WARNING: RAW memory snapshot files are considered obsolete and as a legacy format.
Destination path: ??C:Comae-Toolkit-3.0.20180307.1x64memory.bin
Computer name: PC
--> Proceed with the acquisition? [y/n] y
[+] Information:
Dump Type: Raw Memory Dump
[+] Machine Information:
Windows version: 6.1.7601
MachineId: A98B4D56-9677-C6E4-03F5-902A1D102EED
TimeStamp: 131666117379826680
Cr3: 0x187000
KdDebuggerData: 0xfffff80002c460a0
Current date/time: [2018-03-27 (YYYY-MM-DD) 8:08:57 (UTC)]
[.......REMOVED.........]
If you wish to acquire memory from servers consisting of large memory, you can use the /R or /COMPRESS option in DumpIt, which creates a .zdmp (Comae compressed crash dump) file, which reduces the file size and also makes acquisition faster. The dump file (.zdmp) can then be analyzed with the Comae Stardust enterprise platform: https://my.comae.io. For more details, refer to the following blog post: https://blog.comae.io/rethinking-logging-for-critical-assets-685c65423dc0.