evild3ad / collect-memorydump Goto Github PK

Trying to run Lethal-Forensics to capture RAM on a Windows machine.

Result:

.\Collect-MemoryDump.ps1 -Comae
[Info]  Host Name: LODGE
[Error] File Hash does NOT match.
PS C:\Users\g33k2\git\Collect-MemoryDump-v0.9.1>

Expected:
RAM capture works.

Nice work on this project.

Adding the /captureram flag to the Magnet RESPONSE command would give you a DumpIt dump by default, detecting the appropriate architecture, and fall back to Magnet RAM capture if that’s not viable. You wouldn’t need the additional separate exe’s for the different DumpIt versions or Magnet RAM capture. This would require some modification for Belkasoft and Winpmem flow so those would use the current syntax.

.\Collect-MemoryDump.ps1 -Magnet

& $MagnetRESPONSE /accepteula /nodiagnosticdata /unattended /caseref:"Collect-MemoryDump-v1.0" /output:"$OUTPUT_FOLDER\Memory\Pagefile" /captureram /capturepagefile /capturevolatile /captureextendedprocessinfo /saveprocfiles

This would cover DumpIt dump in DMP for all architectures and Magnet RAM Capture for legacy systems.