Physical Memory Dump

[moloch--]

Integrate a physical memory dumping tool to avoid having to open a process handle to lsass.exe when acquiring mimikatz-able memory dumps.

https://zeltser.com/memory-acquisition-with-dumpit-for-dfir-2/

[rkervella]

Or even better: mount it remotely as a file system: https://github.com/ufrisk/MemProcFS (not sure what we'd need to adapt though)

[moloch--]

I wonder if we can just point Volatility's Mimikatz plugin directly at MemProcFS?

[rkervella]

Almost sure you can: I've seen the author demo a remote volatility with this, before he split PCILeech into multiple projects.

[moloch--]

https://github.com/ufrisk/MemProcFS-plugins - Haha, there's already a plugin to do it