fatcousin
// evidence type

memory dump / crash dump

raw .dmp · vmem · hibernation-adjacent capture. process trees, injected PE, entropy islands, in-memory creds — when disk is encrypted or the actor is memory-only.

tools
13
priority
H
processing
local · in browser

start here · primary tools

ordered. work top-down. the first tool is the suggested entry point for this evidence type.

  1. memory dump analyzerdrop a .dmp or .vmem · extract strings · identify patterns · find artifacts · runs locally
  2. memory pe extractordrop a memory dump · scan for PE headers · carve embedded executables · rebuild PE structure · download extracted files · runs locally
  3. memory entropy analyzermemory dump · shannon entropy per block · heatmap · high-entropy regions · hex dump · csv + png export · runs locally
  4. process tree rebuilderdrop a memory dump · scan EPROCESS pool tags · reconstruct parent/child process tree · flag orphaned and suspicious chains · export CSV · runs locally
  5. memory string timeline reconstructordrop multiple timestamped string extractions or timeline csv · new removed persistent strings · ioc temporal tracking · runs locally
  6. in-memory malware configuration extractordrop process memory dump · xor decode json xml config blocks · c2 ip port campaign mutex extraction · multi-technique local scan · runs locally
  7. credential artifact scannerdrop a memory dump · scan for plaintext credentials · NTLM hashes · OAuth tokens · API keys · session cookies · Base64 secrets · export CSV · runs locally
  8. pagefile extractordrop Windows pagefile.sys or hiberfil.sys · extract strings · URLs · file paths · credentials artifacts · runs locally

also useful · secondary tools

supporting and follow-up tools. surface as the investigation widens.

  1. hiberfil analyzerdrop hiberfil.sys · urls paths processes keys · hibr header · category tabs · csv export · runs locally
  2. pagefile timeline reconstructorpaste strings output · 30-min sessions · urls credentials paths · timeline tabs · csv export · runs locally
  3. memory credential theft artifact detectordrop security evtx csv and sysmon evtx csv · detect credential dumping from memory · identify lsass access patterns · surface mimikatz and other credential dumper indicators · runs locally
  4. memory network connection mapperdrop a memory dump · scan for TCP/UDP socket structures · extract IPs · ports · process associations · flag suspicious connections · export CSV · runs locally
  5. case report generatorfill in case number · examiner · dates · findings · drop evidence files for auto hash · generates structured forensic report PDF · runs locally
ready