Device_DumpIt

Memory Acquisition Method: DumpIt

The LeechCore library supports reading live memory by using Comae DumpIt.

Facts in short:

Is supported on 32-bit and 64-bit Windows.
Acquires memory in read-only mode.
Acquired memory is assumed to be volatile.
Have additional requirements.

The LeechCore process must be started from DumpIt in elevated administrator mode for DumpIt to be able to capture live memory.

Connection string:

LeechCore API:

Please specify the acquisition device type in LC_CONFIG.szDevice when calling LcCreate. The acquisition device type is dumpit.

PCILeech / MemProcFS:

Please specify the device type in the -device option or start from DumpIt directly

Examples:

-device dumpit -remote rpc://<spn>:<somehost>

DumpIt.exe /LIVEKD /A MemProcFS.exe

Requirements:

Depends on DumpIt.exe. Please download the latest version of DumpIt from Magnet Forensics.

Overview

Home

API

Acquisition Methods

FILE
REMOTE
EXISTING
HW: USB3380
HW: FPGA
- DMA not working
- DMA on AMD/
  Thunderbolt
HW: FPGA/RawUDP
HW: iLO/RawTCP
Hyper-V Saved State
TotalMeltdown
DumpIt
LiveKd
LiveCloudKd
QEMU
VMWare
WinPMEM

LeechAgent

Overview
Installing

Development

Building

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Device_DumpIt

Memory Acquisition Method: DumpIt

Connection string:

Requirements:

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Overview

API

Acquisition Methods

LeechAgent

Development

Clone this wiki locally