Full Memory Dump on Windows 7

By default, complete memory dump is disabled. Enable this option if your computer has more than 2 GB of physical RAM.
To generate a full memory dump:
  1. Do any of the following:
    • On your desktop:
      1. Click Start, right-click Computer and select Properties.
      2. Click Advanced system settings.
      3. Click Advanced tab.
      4. Under the Writing debugging information section, click Settings.
      5. Select the Complete memory dump.
    • Using the Registry Editor
      1. Open the Registry Editor.
        Important: Always back up the whole registry before making any modifications. Incorrect changes to the registry can cause serious system problems.
      2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl and set the value of the “CrashDumpEnabled” to “0x1”.
      3. Restart the Windows.

Read : https://success.trendmicro.com/solution/1059775-generating-a-full-memory-dump-on-windows-server-2008-r2-and-windows-7

Read: https://support.kaspersky.com/general/dumps/12402#block2

Find Evil in Live Memory

 

Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.

Memoryze can:

  • Image the full range of system memory (no reliance on API calls).
  • Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps and stacks.
  • Image a specified driver or all drivers loaded in memory to disk.
  • Enumerate all running processes (including those hidden by rootkits), including:
    • Report all open handles in a process (including all files, registry keys, etc.)
    • List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack
    • List all network sockets that the process has open, including any hidden by rootkits.
    • Specify the functions imported and exported by the EXE and DLLs.
    • Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256.  This is disk based).
    • Verify the digital signatures of the EXEs and DLLs (disk-based).
    • Output all strings in memory on a per-process basis.
  • Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
    • Specify the functions the driver imports and exports.
    • Hash the driver (MD5, SHA1, and SHA256. disk-based).
    • Verify the digital signature of the driver (disk-based).
    • Output all strings in memory on a per driver basis.
  • Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.

Memoryze for the Mac can:

  • Image the full range of system memory
  • Acquire individual process memory regions
  • Enumerate all running processes (including those hidden by rootkits).
  • For each process Memoryze for the Mac can:
    • Report all open file handles in a process (including all files, sockets, pipes, etc)
    • List the virtual address space of a process including:
      • loaded libraries
      • allocated portions of heap and execution stack
      • network connections
      • all loaded kernel extensions, including those hidden by rootkits
      • system call table and mach trap table
      • all running mach tasks
      • ASLR support

Mandiant’s Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

Home Page : https://www.fireeye.com/services/freeware/memoryze.html

Memory Viewer

Main screen

With Memory Viewer you can view your system memory configuration, without having to open the box! Not only does Memory Viewer show you the channel, dimm, size and speed….but it also shows you the type of memory: SDRAM, DDR, etc. Memory Viewer can save you time by telling you detailed information about the memory cards installed in your computer, as well as the current memory allocation. Check out the screenshots to see what we are talking about.

With Memory Viewer you can get information such as the physical location on the motherboard, channel, dimm number, device type, bank locator, synchronous type, dimm factor, chip size, memory speed, total width, manufacturer, serial number, asset tag, part number and more. Memory Viewer retrieves the most information from your Windows system memory.

Download & Use

 

Debug diagnostic tool For Memory Dump Analysis

ebug diagnostic tool is the application that we can use to analysis the memory dump.

This application can not be used to analysis the memory dump file that is generate by sqldumper.

This application can be download from here .

Installation process is very straight forward.

image

We will need to admin privilege to execute the application.

image

Select Native memory

image

Choice the processes

image

In the tools –> Options –> check Record call stacks immediately

image

image

Create the full user dump

image

image

Add the dump file in the location.

In the advance analysis tab, “Memory Pleasure analyzer”

image

This will generate the nice HTML report.

image

REFERENCE

Read more at http://www.sqlpanda.com/2013/10/use-debug-diagnostics-tool-to-analysis.html#ydOsqF5ZgURBI3DJ.99