Hello again! Today I’ll share the steps how you can create a .raw memory dump using Volatility. Taking a memory dump is the process of taking all information content in RAM and writing it to a storage drive.
First thing we will do is that we’ll run the malware in a suitable VM. I prefer Windows 7 because it is easy to work with while creating a memory dump.
Once your system is infected, take a snapshot. Move to the directory where the snapshot is created and now we’ll be using a tool called vmss2core which can be found here.
Suspend the machine. This would create a suspended state image of the VM with an extension of .vmss. Head over to the directory of the VM.
Step 1: Use the following command to create a memory.dmp file:
vmss2core-sb-8456865.exe -W file.vmss file.vmem
Okay, so once you are done you will see something like this.
Now once you are done with writing core, you’ll see a file named memory.dmp.
Now here we’ll be using volatility in order to find out the profile for which .vmem is created.
I am using
Win7SP1x64 as it is a suggested profile. The command for creating the .raw file using a specific profile is:
volatility -f memory.dmp --profile=Win7SP1x64 imagecopy -O jigsaw.raw
This way we can create our jigsaw.raw file.
Until next time! :D