Winpmem
WinPmem is a Windows physical memory imaging tool developed for memory acquisition and forensic analysis. It captures the entire physical memory contents of a Windows system for offline investigation of malware, rootkits, and intrusion artifacts.
Installation and Setup
Download WinPmem
# Download from Google Cloud Forensics project
# https://github.com/google/rekall/tree/master/tools/windows/winpmem
# Or get the released binary
wget https://github.com/Velocidex/WinPmem/releases/download/v3.4.0/winpmem_v3.4.0.exe
# Extract and run (requires Administrator)
./winpmem_v3.4.0.exe --helpSystem Requirements
- Windows XP through Windows 11
- Administrator privileges required
- Sufficient disk space for memory image
- Python 3.6+ (for Rekall integration)
Basic Memory Acquisition
Simple Memory Dump
# Capture physical memory to file
winpmem.exe output.raw
# Creates raw memory image of entire system RAM
# Size = System RAM (4GB, 8GB, 16GB, etc.)
# With verbose output
winpmem.exe -v output.raw
# Show progress
winpmem.exe output.raw -pCompressed Acquisition
# Capture memory in compressed format
winpmem.exe -c output.zip
# Creates compressed memory image (smaller file size)
# Compression reduces image size by 30-50%Segmented Capture
# Capture memory in segments (for large RAM)
winpmem.exe -s 1000 memory_chunk.raw
# Splits 1000MB segments
# Useful for systems with 64GB+ RAMAdvanced Acquisition Techniques
Raw Uncompressed Dump with Verification
@echo off
REM Acquire memory and calculate hash
winpmem.exe memory.raw
REM Calculate MD5 for verification
certutil -hashfile memory.raw MD5 > memory.md5
REM Log acquisition metadata
echo Acquisition Time: %date% %time% > memory.log
echo System RAM: >> memory.log
wmic OS get TotalVisibleMemorySize >> memory.logMemory Dump with System Information
# PowerShell script for complete acquisition
$OutputDir = "C:\forensics\$(Get-Date -Format 'yyyyMMdd_HHmmss')"
New-Item -ItemType Directory -Path $OutputDir -Force
# Capture memory
& winpmem.exe "$OutputDir\memory.raw"
# Save system information
systeminfo | Out-File "$OutputDir\systeminfo.txt"
# Save running processes
Get-Process | Export-Csv "$OutputDir\processes.csv"
# Save network connections
netstat -anob | Out-File "$OutputDir\netstat.txt"
# Save loaded DLLs
Get-Process | ForEach-Object {
$_.Modules | Export-Csv "$OutputDir\$($_.ProcessName)_modules.csv" -Append
}
# Calculate hash of memory image
$FileHash = (Get-FileHash "$OutputDir\memory.raw" -Algorithm MD5).Hash
$FileHash | Out-File "$OutputDir\memory.md5"
Write-Host "Memory acquisition complete: $OutputDir"Memory Analysis
Using Rekall Framework
# Install Rekall
pip install rekall-core
# Analyze memory image with Rekall
rekall -f memory.raw
# Common Rekall commands
rekall -f memory.raw pslist # List processes
rekall -f memory.raw pstree # Process tree
rekall -f memory.raw psxview # Process visibility
rekall -f memory.raw connections # Network connections
rekall -f memory.raw modules # Loaded DLLs
rekall -f memory.raw mutantscan # Mutexes and synchronization objects
rekall -f memory.raw filescan # File system artifactsUsing Volatility Framework
# Install Volatility 3
pip install volatility3
# List plugins
vol -h
# Plugin profiles (for legacy Volatility 2)
# volatility -f memory.raw --profile=Win7SP1x64
# Extract processes
vol -f memory.raw windows.pslist.PsList
# Check for hidden processes
vol -f memory.raw windows.pslist.PsScan
# List DLLs
vol -f memory.raw windows.dlllist.DllList
# Dump process
vol -f memory.raw -o /tmp windows.procdump.ProcDump --pid 1234
# Extract command line arguments
vol -f memory.raw windows.cmdline.CmdLine
# Network connections
vol -f memory.raw windows.netstat.NetStat
# Find injected code
vol -f memory.raw windows.malfind.MalfindManual Memory Inspection
# Python script for memory analysis
import mmap
import struct
# Open memory image
with open('memory.raw', 'rb') as f:
mem = mmap.mmap(f.fileno(), 0, access=mmap.ACCESS_READ)
# Search for strings
search_string = b'malware'
pos = 0
while True:
pos = mem.find(search_string, pos)
if pos == -1:
break
print(f"Found '{search_string}' at offset: 0x{pos:x}")
pos += 1
# Search for PE header
pe_signature = b'MZ'
pos = 0
pe_locations = []
while True:
pos = mem.find(pe_signature, pos)
if pos == -1:
break
pe_locations.append(pos)
pos += 1
print(f"Found {len(pe_locations)} potential PE headers")
for loc in pe_locations[:10]:
print(f" PE at: 0x{loc:x}")Forensic Investigation
Timeline Analysis
# Extract filesystem timeline
$Files = Get-ChildItem -Path "C:\" -Recurse -ErrorAction SilentlyContinue
$Files | Select-Object FullName, CreationTime, LastAccessTime, LastWriteTime |
Export-Csv -Path "timeline.csv"
# Correlate with memory image timestamps
# Compare process creation times with file modification timesMalware Detection
# YARA scan on memory image
yara -r malware_signatures.yar memory.raw
# Hash-based detection
md5deep -r memory.raw | grep -f malware_hashes.txt
# String analysis
strings memory.raw | grep -E "http|cmd|powershell" > suspicious_strings.txtRegistry and Persistence Artifacts
# Extract registry hives from memory
vol -f memory.raw windows.registry.hivelist
# Dump specific registry keys
vol -f memory.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\Run"
# Find persistence mechanisms
vol -f memory.raw windows.registry.printkey --key "HKLM\System\CurrentControlSet\Services"Comparative Analysis
Multi-Image Comparison
# Compare two memory images from same system
def compare_memory_images(img1, img2):
with open(img1, 'rb') as f1, open(img2, 'rb') as f2:
chunk_size = 1024 * 1024 # 1MB chunks
offset = 0
differences = []
while True:
chunk1 = f1.read(chunk_size)
chunk2 = f2.read(chunk_size)
if not chunk1:
break
if chunk1 != chunk2:
# Find exact byte differences
for i in range(len(chunk1)):
if chunk1[i] != chunk2[i]:
differences.append((offset + i, chunk1[i], chunk2[i]))
offset += chunk_size
return differences
# Usage
diffs = compare_memory_images('memory_before.raw', 'memory_after.raw')
print(f"Found {len(diffs)} byte differences")
for addr, byte1, byte2 in diffs[:10]:
print(f" 0x{addr:x}: {byte1:02x} -> {byte2:02x}")Documentation and Reporting
Forensic Report Template
# Memory Forensics Report
## Acquisition Details
- Date/Time: [Timestamp]
- System: [Computer Name]
- Operating System: [OS Version]
- Total RAM: [Size]
- Image File: [Filename]
- Image Size: [Size]
- MD5 Hash: [Hash]
## Key Findings
### Processes
- [Suspicious process list]
### Network Connections
- [Suspicious connections]
### DLLs and Modules
- [Loaded modules of interest]
### Filesystem Artifacts
- [Suspicious files found in memory]
## Timeline
[Timeline of events]
## Recommendations
[Investigation recommendations]Troubleshooting
Common Issues
# Error: "Access Denied"
# Solution: Run as Administrator
# Error: "Insufficient memory"
# Solution: Use segmented capture with -s flag
# Error: "Driver failed to load"
# Solution: Disable DEP/NX and try againSystem Compatibility
# Check Windows version
[System.Environment]::OSVersion.VersionString
# Check available RAM
$MemGB = (Get-WmiObject Win32_ComputerSystem).TotalPhysicalMemory / 1GB
Write-Host "Total RAM: $MemGB GB"
# Check antivirus compatibility
Get-MpComputerStatusBest Practices
- Preserve memory ASAP: Acquire immediately after incident detection
- Hash verification: Always calculate and record image hashes
- Document metadata: Record system information during acquisition
- Secure chain of custody: Store images securely with access logs
- Multiple tools: Use multiple analysis frameworks for verification
- Offline analysis: Analyze images on clean isolated system
- Automated detection: Use YARA and other automated scanning tools
Related Tools
- Volatility: Memory forensics framework
- Rekall: Advanced memory analysis
- YARA: Pattern-based malware detection
- Strings: Extract readable text from memory
- Hex editors: Manual memory inspection
References
Last updated: 2026-03-30