# Crash Dump Information

## Overview

**Evidence:** Crash Dump Information\
**Description:** Collect information about crash dumps\
**Category:** System\
**Platform:** windows\
**Short Name:** cdi\
**Is Parsed:** Yes\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** No

## Background

When Windows encounters a critical error (BSOD), it can create crash dump files containing system memory and diagnostic information. These dumps come in different formats:

* Full memory dump (MEMORY.DMP): Complete physical memory
* Kernel dump: Kernel memory only
* Minidumps: Small dumps with essential information

Crash dump locations are configured in the registry under `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl`.

## Data Collected

This collector gathers structured data about crash dump information.

### Crash Dump Information Data

| Field          | Description                | Example               |
| -------------- | -------------------------- | --------------------- |
| `Path`         | Full path to crash dump    | C:\Windows\MEMORY.DMP |
| `Minidump`     | Whether this is a minidump | FALSE                 |
| `FileModified` | Last modified timestamp    | 2023-10-15T14:30:00   |
| `FileAccessed` | Last accessed timestamp    | 2023-10-15T15:45:00   |
| `FileCreated`  | Creation timestamp         | 2023-10-15T14:30:00   |

## Collection Method

This collector:

* Reads crash dump configuration from registry:
  * `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl` - DumpFile value
  * `HKLM\SYSTEM\CurrentControlSet\Control\CrashControl` - MinidumpDir value
* Catalogs dump files (actual collection of large dumps may be optional)
* Records dump file metadata and timestamps

## Forensic Value

Crash dumps can reveal system instability issues and rootkit behavior. Investigators use this data to analyze system crash causes, detect rootkit-induced crashes, identify driver bugs or exploitation, analyze kernel memory state, and correlate crashes with malware activity.