WinPmem
The Windows memory acquisition tool.
WinPmem is a physical memory acquisition tool with the following features:
- Open source
- Support for Win7 - Win 10, x86 + x64. The WDK7600 might be used to include WinXP support. As default, the provided WinPmem executables will be compiled with WDK10, supporting Win7 - Win10, and featuring more modern code.
- Three independent reading methods, with two methods to create a complete memory dump. One method should always work even when faced with kernel mode rootkits.
- Raw memory dump image support.
- A read device interface is used instead of writing the image from the kernel like some other imagers. This allows us to have complex userspace imager (e.g. copy across network, hash etc), as well as run analysis on the live system (e.g. can be run directly on the device).