Crash Dump Information

Overview

Evidence: Crash Dump Information Description: Collect information about crash dumps Category: System Platform: windows Short Name: cdi Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

When Windows encounters a critical error (BSOD), it can create crash dump files containing system memory and diagnostic information. These dumps come in different formats:

Full memory dump (MEMORY.DMP): Complete physical memory
Kernel dump: Kernel memory only
Minidumps: Small dumps with essential information

Crash dump locations are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Control\CrashControl.

Data Collected

This collector gathers structured data about crash dump information.

Crash Dump Information Data

Field

Description

Example

Path

Full path to crash dump

C:\Windows\MEMORY.DMP

Minidump

Whether this is a minidump

FALSE

FileModified

Last modified timestamp

2023-10-15T14:30:00

FileAccessed

Last accessed timestamp

2023-10-15T15:45:00

FileCreated

Creation timestamp

2023-10-15T14:30:00

Collection Method

This collector:

Reads crash dump configuration from registry:
- HKLM\SYSTEM\CurrentControlSet\Control\CrashControl - DumpFile value
- HKLM\SYSTEM\CurrentControlSet\Control\CrashControl - MinidumpDir value
Catalogs dump files (actual collection of large dumps may be optional)
Records dump file metadata and timestamps

Forensic Value

Crash dumps can reveal system instability issues and rootkit behavior. Investigators use this data to analyze system crash causes, detect rootkit-induced crashes, identify driver bugs or exploitation, analyze kernel memory state, and correlate crashes with malware activity.

PreviousCortana History NextCybereason Logs

Last updated 3 days ago

Was this helpful?