Windows.Memory.Acquisition

Acquires a full memory image. We download winpmem and use it to acquire a full memory image.

NOTE: This artifact usually transfers a lot of data. You should increase the default timeout to allow it to complete.


name: Windows.Memory.Acquisition
description: |
  Acquires a full memory image. We download winpmem and use it to
  acquire a full memory image.

  NOTE: This artifact usually transfers a lot of data. You should
  increase the default timeout to allow it to complete.

tools:
  - name: WinPmem64
    github_project: Velocidex/WinPmem
    github_asset_regex: winpmem_mini_x64.+exe
    serve_locally: true

precondition: SELECT OS From info() where OS = 'windows' AND Architecture = "amd64"

sources:
  - query: |
      SELECT * FROM foreach(
          row={
            SELECT OSPath, tempfile(extension=".raw", remove_last=TRUE) AS Tempfile
            FROM Artifact.Generic.Utils.FetchBinary(ToolName="WinPmem64")
          },
          query={
            SELECT Stdout, Stderr,
                   if(condition=Complete,
                      then=upload(file=Tempfile, name="PhysicalMemory.raw")) As Upload
            FROM execve(argv=[OSPath, Tempfile], sep="\r\n")
        })