Winpmem can be deployed on remote systems through such native applications as Remote Desktop or PsExec. Once installed on the remote system, the output of WinPmem can be piped to another system utilizing NetCat. For example, suppose that the incident response analyst is utilizing a system located at If the analyst is able to access the compromised host via PSExec or RDS, they can establish a netcat connection back to their machine utilizing the following command:

C:/winpmem-2.1.exe - | nc 4455

The preceding command directs the system to perform the capture and send the output via Netcat to the incident response analyst workstation over port 4455. The drawback to this technique is that it requires access ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.