Acquisition of Memory Strings

Getting process memory onto disk for analysis is a straightforward operation — but picking the right method for the right situation makes a real difference. A full physical dump captures everything; a targeted process dump is faster and quieter. Below are three practical extraction approaches used in live triage and post-incident analysis.

Method 1 — Full Memory Dumps (.dmp)

A full dump captures the entire physical RAM of the system into a single file. Every running process, kernel structure, cached page and network buffer is preserved. This is the most comprehensive option and the preferred approach when you have the time and disk space.

Task Manager can produce a per-process dump directly: open the Details tab, right-click the target process and select "Create dump file". The resulting .dmp ends up in the current user's temp directory. This does not require any additional tooling but is limited to single-process snapshots and requires interactive access.

For full physical memory acquisition, tools like Magnet RAM Capture and Belkasoft Live RAM Capturer write the complete contents of physical RAM to a raw or proprietary format. These tools are designed to minimise their own memory footprint during acquisition and run with minimal system interaction, making them appropriate for field triage. The resulting image is then processed offline with analysis frameworks such as Volatility or Rekall.

Full dumps are large — equal to the installed RAM. On modern systems this is routinely 16 GB or more. Ensure your target storage medium has the capacity and that the acquisition is completed before the system changes state significantly.

Method 2 — Live Memory String Extraction

Full dumps are not always feasible under time pressure or when you only need strings from specific processes. Live extraction reads process memory directly while the system is running and outputs the printable strings immediately, without writing the full binary dump to disk.

VortexViewer supports live process memory string extraction natively. Select any running process from the integrated process list and VortexViewer reads its virtual address space in real time, extracts all ASCII and Unicode strings above the configured minimum length and presents them in a searchable, filterable interface. No intermediate dump file is required. This is particularly useful during rapid triage when you need to quickly assess whether a suspicious process contains indicators of compromise — C2 strings, decrypted payloads, credential material — without committing to a full acquisition workflow.

Live extraction captures only what is resident in memory at that exact moment. Paged-out regions are not accessible without a full dump. Time your acquisition accordingly when targeting processes that decrypt and re-encrypt their working buffers.

Method 3 — Command-Line String Extraction

For scriptable, repeatable or automated triage workflows, command-line tooling extracts strings from dump files without a GUI. Two well-established options are strings2 and bstrings.

strings2 extends the classic Unix strings concept for Windows. It supports both ASCII and Unicode extraction, configurable minimum string length and can target a live process by PID directly — no prior dump required. Output is plain text, suitable for piping into grep or any text processing pipeline.

bstrings by Eric Zimmerman takes a more structured approach. In addition to ASCII and Unicode extraction, it allows targeted regex searching against the extracted output in a single pass. This is efficient when hunting for specific patterns — IP address formats, URL structures, registry key paths or email addresses — across large dump files. bstrings supports both file-based and piped input and produces output that integrates cleanly with the rest of Eric Zimmerman's broader forensic toolset.

Both tools are operated from PowerShell or cmd.exe, accept a file path or PID as input and write results to stdout or a specified output file. They are appropriate for inclusion in triage scripts, SIEM pipelines or evidence processing workflows where automation matters more than interactive exploration.