Step 1 - Register
To analyze dumps, an account must first be registered on the Comae platform. Each user must be registered under the same email as their Magnet Idea Lab email account.
Comae Support sends an email requesting confirmation of the registered email address. If an email is not received in a reasonable amount of time, check the spam folder or simply add firstname.lastname@example.org to your contacts or address book. Direct questions to email@example.com and receive a prompt response.
Step 2 - Download DumpIt
Each user must download and install the Comae-Toolkit. Click on Download Comae Toolkit on the Dashboard.
Once clicked, a compressed (zip) file downloads to your machine.
- After the download is complete, navigate to the folder where it resides (typically the Downloads folder) and extract the contents of the compressed file to the default location or one of your choosing.
A folder named Comae-Toolkit- is created with a license file, readme file and two folders containing executables for both x86, x64 and ARM64-based operating systems.
System Type information is located on Windows machines in Control Panel/System. Most modern Windows machines can run either type, however.
DumpIt is part of the Comae Toolkit which includes multiple memory related utilities.
Step 3 - Run DumpIt
Running the Comae DumpIt utility with the /Q (for quiet) option is used to automatically answer confirmation prompts, such as Proceed with the acquisition? [y/n], when running memory acquisition in a script.
Windows Scheduled Tasks can be setup to run the DumpIt program as a time-based utility and generate a historical record of machine activity. Doing so enables retro-hunting investigations.
Step 4 - Upload your image
The Comae platform manages the uploaded snapshots and the information contained within the files generated by DumpIt.
User can upload the following to the Comae platform:
- Microsoft crash dump files (Full memory dumps generated by DumpIt or process dumps generated by administrative utilities such as Sysinternals Process Explorer or Microsoft Windows Task Manager.)
- Dump files can be uncompressed (*.dmp) or compressed (Only .zip archives are supported)
Step 5 - Results
When your snapshot is finished uploading you will see it automatically processed in the “Latest Snapshots” section at the bottom.
Click on the snapshot in the bottom pane. This will take you to the results view where you can review Processes, Drivers, Syscalls, Objects, Registry and Callbacks within the memory snapshot.