Sayfalar

[MoonSols] Windows Memory Toolkit


MoonSols Windows Memory Toolkit is a powerful toolkit containing all the utilities needed to perform any kind of memory acquisition or conversion during an incident response, or a forensic analysis for Windows desktops, servers or virtualized environment. The version 2.0 is a refresh and updated version of our software to reply to the evolving needs of our clients and assist them to deliver in a strategic and professional way.

MoonSols Windows Memory Toolkit had been designed to deal with Microsoft Windows hibernation file (from Microsoft Windows XP to Microsoft Windows 8 in both 32-bits and 64-bits (x64) Editions), Microsoft full memory crashdump (in both 32-bits and 64-bits (x64) Editions), and raw memory dump files (from memory acquisition tools like DumpIt or Virtualization application like VMWare). Moreover, MoonSols Windows Memory Toolkit also contains new version of DumpIt.

MoonSols Windows Memory Toolkit main point is that Microsoft full memory crashdump had been designed by Microsoft as the “physical memory format” which aims at being analyzed by Microsoft Windows Debugger (the most powerful utility to troubleshoot problems, analyze physical memory etc.). The goal of MoonSols Windows Memory Toolkit is to make possible to convert all Windows physical memory dumps into Microsoft Crash dump compliant with Microsoft Windows Debugger (WinDbg).

With MoonSols Windows Memory Toolkit you can convert any Windows memory dump file in a Microsoft crash dump file readable by Microsoft Windows Debugger. Moreover, you can also decompress complex memory dumps such as Windows XP x64 hibernation file as well as Windows 7 x64 Hibernation file.

The MoonSols Windows Memory Toolkit 2.0 works on every Microsoft Windows version, from Microsoft Windows XP to Microsoft Windows 8 (both x86 and x64 Edition).

The MoonSols Windows Memory Toolkit 2.0 contains an improved version of win32dd and win64dd called DumpIt, which can be used from the external paths and and can be called from scripts to make your life easier. Moreover, an interactive command-live version is provided to users.

The toolkit contains several utilities such as DumpIt for live acquisition on a local disk file or to a remote target, or like hibr2dmp/bin2dmp to create a synergetic ecosystem within all the different file formats used by memory snapshots files such as Windows hibernation file and Microsoft crash memory dumps analysable by Microsoft WinDbg.

MoonSols Windows Memory Toolkit contains:
  • MoonSols DumpIt 2.0
  • MoonSols Hibr2Bin 2.0
  • MoonSols Hibr2Dmp 2.0
  • MoonSols Dmp2Bin 2.0
  • MoonSols Bin2Dmp 2.0
MoonSols DumpIt replaces MoonSols Win32dd and Win64dd, the utility also has full 32-bits and 64-bits Windows 8 support and new features such as LZNT1 compression and RC4 encryption.

The utilities Hibr2Bin and Hibr2Dmp also have 32-bits and 64-bits Windows 8 support.