Overview

Winpmem Documentation

Documentation

This is the winpmem documentation.

Overview

WinPmem is developed as part of the AFF4 imager project. AFF4 is an advanced, open forensic imaging format. The format has been …

Acquiring Memory

Acquiring memory using WinPmem is a very simple process: F:\>winpmem.exe -o test.aff4 -dd 2019-05-17 02:26:22 I This is The WinPmem …

Acquiring Files

The WinPmem imager can also acquire multiple files into the AFF4 volume. These can be devices (such as disks using /dev/sda) or logical …

Inspecting AFF4 volumes

AFF4 volumes are based around the common Zip compression standard (for large volumes we use Zip64 extensions). Therefore it is possible to …

Extracting streams from AFF4 volumes

Analysis tools which already support AFF4 will be able to use the AFF4 image directly, but sometimes you may come across a tool which does …