Windows Memory Reader™

Windows Memory Reader is a simple command-line utility to capture the contents of physical RAM on a suspect computer, letting an investigator gather volatile state information prior to shutting the machine down.  Results are stored in a Windows crash dump file or a raw binary file for later off-line analysis by the investigator. Researchers can also use Windows Memory Reader to capture memory-mapped device data, such as shared video memory.

Windows Memory Reader is available free of charge.  It executes directly on 32-bit and 64-bit target machines running Windows XP through Windows 8.

Download

Windows Memory Reader 1.0 [released December 2012]

By using this software, you agree to the terms in the LICENSE.txt file included in the download and reproduced here.

 

Mem Marshal™

Windows Memory Reader is part of the Mem Marshal project. ATC-NY's Mem Marshal a computer forensic tool for analyzing Windows XP memory.

Mem Marshal

 

Software Instructions

Please read the README.txt file, included in the download, for full instructions.

Some tips on using Windows Memory Reader:

1. If you are saving the RAM snapshot to a FAT-32 formatted USB drive, FAT-32's file size restrictions will prevent you from writing RAM snapshots that are 4GB or larger.  To get around this limitation, you must run Windows Memory Reader from a Unix-like environment such as MinGW or Cygwin.  You can then split the output into multiple 2GB chunks on the fly using a command line such as the following:

wmr - | split -b 2048m - ram_dump.dmp.

This will create ram_dump.dmp.aaram_dump.dmp.ab, etc. If you don't want to split the file, consider using an ExFAT or NTFS-formatted drive.

2. You can also send the RAM snapshot to a remote machine over the network; this also requires running Windows Memory Reader from a Unix-like environment such as MinGW or Cygwin.  To send it to a raw TCP socket on port portnum on host hostname using netcat:

wmr - | nc hostname portnum

To send it encrypted as a file to a host running SSH:

wmr - | ssh hostname cat \> /path/to/remote/destfile

3. Normally, Windows Memory Reader saves RAM snapshots in Windows Crash Dump format, which includes a table of contents and system information followed by the raw data.  Adding the -p flag to wmr will change the output format to a plain/raw DD style, with only the bytes of physical memory and no header information. Because the raw format does not preserve memory region information (types and offsets), wmr will print a table of contents when done. Adding -P instead will cause unused memory regions to be zero-filled, removing the need for the table of contents but causing the RAM snapshot to (potentially) require significantly more disk space than the size of RAM.

4. Windows Memory Reader can compute hashes on the fly if needed: add -H hashtype arguments (where hashtype is one of MD5, SHA-1, SHA-256, or SHA-512) to have hashes printed on stderr.  For example,

wmr -H MD5 -H SHA-1 ...

will compute both MD5 and SHA-1 hashes of the memory dump.