CyberDefenseInstitute · herosi · Jun 2, 2021 · Apr 22, 2022
diff --git a/CDIR/CDIR.cpp b/CDIR/CDIR.cpp
@@ -76,7 +76,8 @@ param_prefdump = true,
 param_regdump = true,
 param_webdump = true,
 param_wmidump = true,
-param_srumdump = true;
+param_srumdump = true,
+param_swapdump = true;
 
 string param_output;
 
@@ -744,6 +745,8 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 	// collect somefiles
 
 	// order of collection
+	// pagefile.sys
+	// swapfile.sys
 	// $MFT
 	// $SECURE
 	// $UsnJrnl:$J (skip beginning sparse data)
@@ -764,7 +767,6 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 	//  * History
 	// * C:\Users\[user]\AppData\Local\Microsoft\Windows\WebCache\
 	// 
-	// pagefile.sys
 
 	PVOID oldval = NULL;
 	Wow64DisableWow64FsRedirection(&oldval);
@@ -774,6 +776,29 @@ int get_analysisdata(ostringstream *osslog = NULL) {
 	char srcpath[MAX_PATH + 1];
 	char dstpath[MAX_PATH + 1];
 
+	if (param_swapdump == true) {
+
+		sprintf(srcpath, "%s\\pagefile.sys", osvolume);
+		sprintf(dstpath, "pagefile.sys");
+
+		if (!StealthGetFile(srcpath, dstpath, osslog, false)) {
+			cerr << msg("ページファイル 取得完了 ", "Pagefile was saved ") << srcpath << endl;
+		}
+		else {
+			cerr << msg("ページファイル 取得失敗 ", "failed to save pagefile ") << srcpath << endl;
+		}
+
+		sprintf(srcpath, "%s\\swapfile.sys", osvolume);
+		sprintf(dstpath, "swapfile.sys");
+
+		if (!StealthGetFile(srcpath, dstpath, osslog, false)) {
+			cerr << msg("ページファイル (UWP用) 取得完了 ", "Pagefile for UWP was saved ") << srcpath << endl;
+		}
+		else {
+			cerr << msg("ページファイル (UWP用) 取得失敗 ", "failed to save pagefile for UWP ") << srcpath << endl;
+		}
+	}
+
 	if (param_mftdump || param_securedump || param_usndump) {
 		mkdir("NTFS");
 	}
@@ -1271,7 +1296,8 @@ int main(int argc, char **argv)
 			{{"Registry", "レジストリ", "Registry"}, &param_regdump},
 			{{"WMI", "WMI", "WMI"}, &param_wmidump},
 			{{"SRUM", "SRUM", "SRUM" }, &param_srumdump},
-			{{"Web", "ブラウザ", "Web"}, &param_webdump}
+			{{"Web", "ブラウザ", "Web"}, &param_webdump},
+			{{"Swap", "スワップファイル", "Swap"}, &param_swapdump}
 		};
 
 		for (size_t i = 0; i < params.size(); i++) {

diff --git a/CDIR/ConfigParser.h b/CDIR/ConfigParser.h
@@ -31,6 +31,7 @@ struct c_ignorecase:std::binary_function<string, string, bool> {
 
 static map<string, TYPE_ID, c_ignorecase> CONFIGLIST = {
 	{"MemoryDump", TYPE_BOOL},
+	{"Swap", TYPE_BOOL},
 	{"MFT", TYPE_BOOL},
 	{"Secure", TYPE_BOOL},
 	{"UsnJrnl", TYPE_BOOL},

diff --git a/CDIR/cdir.ini b/CDIR/cdir.ini
@@ -8,7 +8,10 @@ Registry = true
 WMI = true
 SRUM = true
 Web = true
+Swap = true
 ;Target = G:\
+MemoryDumpCmdline = winpmem_mini_x64_rc2.exe physmem.raw
+;MemoryDumpCmdline = winpmem_mini_x86.exe physmem.raw
 ;MemoryDumpCmdline = winpmem-2.1.post4.exe --output RAM.aff4
 ;MemoryDumpCmdline = DumpIt.exe /Q /N /T DMP /O RAM.dmp
 ;MemoryDumpCmdline = RamCapture64.exe RAM.raw

diff --git a/CDIR/winpmem_mini_x64_rc2.exe b/CDIR/winpmem_mini_x64_rc2.exe
diff --git a/CDIR/winpmem_mini_x86.exe b/CDIR/winpmem_mini_x86.exe