Windows 32/64 bit RAM memory dumper tool
CyberTest offers free windows 32/64 bit physical memory dumper tool to help with security testing and digital forensics.
This tool dumps the physical RAM memory of Windows 32/64 bit to a file. You can then use your choice of hex viewer or other tools to conduct your analysis.
The tool works on physical hardware and virtual machines. The speed varies based on how much memory it needs to read and dump but to just give you an idea
of the speed, it takes about 60 seconds or less to dump 16 GB of memory using Intel i7 2.70GHz system. The tool has been tested on Windows 7 and 10 but
should run on other Windows platforms. If there are any issues running on other Windows platforms you can send us email at [email protected].
The download link below is a zip file that contains both 32 and 64 bit version of the tool. On the 64 bit Windows you will need to boot into advanced boot option by pressing F8 and select
"Disable Driver Signature Enforcement" option to be able to run the tool. This is needed because the tool is not signed and 64 bit OS requires signed drivers.
On Windows 10 you will need to switch the boot option to legacy to use F8 to get into the advance options. To do that open cmd in administrator mode and type
"bcdedit /set {default} bootmenupolicy legacy" and press enter. After the command completes successfully, restart your computer.
Showing the "Disable Driver Signature Enforcement" in Advanced Boot Options after pressing f8 at boot time.
Note: If you are using BitLocker encryption you will need to enter your recovery key to unlock and access advanced boot options.
Showing RamDump tool that dumped VM RAM memory in mem.dmp file.
Download RamDump Tool