Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

Profile: modules/memory/dumps.toml

Source

  • Original path: profiles/modules/memory/dumps.toml

Profile (TOML)

# Memory Dumps Module
# Collects memory dump files for forensic analysis

[module]
name = "Memory Dumps"
description = "Memory dump files (crash dumps, core dumps, process dumps)"
category = "memory"
platform = ["windows", "linux", "macos"]
priority = "critical"

# Windows Memory Dumps
[[patterns]]
  name = "Windows Memory Dump"
  pattern = "MEMORY\\.DMP$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Mini Dump"
  pattern = "\\.dmp$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Kernel Dump"
  pattern = "(?:KERNEL|MINI).*\\.DMP$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Windows Complete Memory Dump"
  pattern = "FULL.*\\.DMP$"
  case-insensitive = true
  type = "regex"

# Windows WER (Windows Error Reporting)
[[patterns]]
  name = "WER Dump"
  pattern = "(?:WER|Report).*\\.dmp$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "WER Report"
  pattern = "Report\\.wer$"
  case-insensitive = true
  type = "regex"

# Windows Crash Dumps Directory
[[patterns]]
  name = "Windows Crash Dumps"
  pattern = "(?:Minidump|CrashDumps)"
  case-insensitive = true
  type = "regex"

# Linux Core Dumps
[[patterns]]
  name = "Linux Core Dump"
  pattern = "(?:^|[/])core(?:\\.[0-9]+)?$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "Linux Coredump Pattern"
  pattern = "core\\.[0-9]+$"
  case-insensitive = true
  type = "regex"

# macOS Crash Reports
[[patterns]]
  name = "macOS Crash Report"
  pattern = "\\.crash$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Panic Report"
  pattern = "\\.panic$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Hang Report"
  pattern = "\\.hang$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Spin Report"
  pattern = "\\.spin$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "macOS Diagnostic Reports"
  pattern = "DiagnosticReports"
  case-insensitive = true
  type = "regex"

# Process Memory Dumps
[[patterns]]
  name = "Process Dump"
  pattern = "\\.pdmp$"
  case-insensitive = true
  type = "regex"

# Raw Memory Images (specific patterns to avoid false positives)
[[patterns]]
  name = "Raw Memory Image"
  pattern = "(?:memory|memdump|ram|physmem).*\\.(?:raw|mem)$"
  case-insensitive = true
  type = "regex"

# Volatility-compatible formats
[[patterns]]
  name = "Lime Memory Dump"
  pattern = "\\.lime$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "VMware Snapshot Memory"
  pattern = "\\.vmem$"
  case-insensitive = true
  type = "regex"

[[patterns]]
  name = "VirtualBox Memory"
  pattern = "\\.sav$"
  case-insensitive = true
  type = "regex"