memdump

During the course of the analysis it may become necessary to dump the memory resident pages associated with a process. In this case, the memdump plugin is run against the memory image, with the output directed to the home folder, utilizing the following command:

forensics@ubuntu:~/Documents$ sudo volatility -f stuxnet.vmem --profile=WinXPSP2x86 -p 868 memdump--dump-dir /home/

Volatility will indicate the progress of the dump:

Once the plugin is finished, the dump file is found within the home folder:

Once the dump is complete, the ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.