How to do it…

This time, we don't need to know what kind of operating system we are dealing with - 32 or 64-bit. As we have already been said, DumpIt is a fusion of Win32dd and Win64dd in one executable. So, there are just two steps:

1. Plug in the external drive in the target system
2. Start DumpIt.exe and type y to start the acquisition process

As a result of the acquisition, you'll get two files: a file with the DMP extension and a file with the JSON extension. The first is the target system's memory dump with the computer name, date and time (UTC) in the file name, the second - the dump information, includes important information from a forensic point of view. It includes file size, system architecture type (32/64), KdCopyDataBlock KdDebuggerData, kdpDataBlockEncoded, sha256 hash, and so on. So that's it, the DMP file is ready to be analysed with the memory forensics software of your choice.