How to generate a memory dump using Live response

Hi Sankaperera,I highly recommend reading through the two articles linked on this GitHub page: Remote collection of Windows Forensic Artifacts using KAPE and MDE 

Kape in MDE - GitHub 

Be sure to read them thoroughly so as to understand how it all works. IIRC I had to modify a few bits (I'll check tomorrow). It works like a charm though. Build the collector, push the kape zip, send the collection command and profit!

Keep in mind Live Response does have limitations you may hit if you're expecting to pull full memory images. See here: Live Response limitations 

• Live response sessions are limited to 25 live response sessions at a time.

• Live response session inactive timeout value is 30 minutes.

• Individual live response commands have a time limit of 10 minutes, with the exception of getfile, findfile, and run, which have a limit of 30 minutes.

• A user can initiate up to 10 concurrent sessions.

• A device can only be in one session at a time.

• The following file size limits apply:

  • getfile limit: 3 GB

  • fileinfo limit: 30 GB

  • library limit: 250 MB

There's another project I've read about but have never personally used and therefore can't vouch for. Nevertheless, it looks promising. The project description reads: "A collection of powershell scripts that are designed to be ran from a Microsoft Defender for Endpoint Live Response terminal, utilizing open-source tools, such as Kape (Kroll Artifact Parser and Extractor), to forensically acquire and process necessary artifact used in compromise assessments. Additional scripts provide pre-processing automation …"

SAP: MDE Forensic-Artifact-Automation 

Happy hunting!

- Dylan