Crash Dump Information
Overview
Evidence: Crash Dump Information Description: Collect Information About Crash Dumps Category: System Platform: Windows Short Name: cdi Is Parsed: Yes - Dump file locations are parsed Sent to Investigation Hub: Yes Collect File(s): No
Background
When Windows encounters a critical error (BSOD), it can create crash dump files containing system memory and diagnostic information. These dumps come in different formats:
Full memory dump (MEMORY.DMP): Complete physical memory
Kernel dump: Kernel memory only
Minidumps: Small dumps with essential information
Crash dump locations are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Control\CrashControl.
Data Collected
Path
Full path to crash dump
C:\Windows\MEMORY.DMP
Minidump
Whether this is a minidump
FALSE
FileModified
Last modified timestamp
2023-10-15T14:30:00
FileAccessed
Last accessed timestamp
2023-10-15T15:45:00
FileCreated
Creation timestamp
2023-10-15T14:30:00
Collection Method
This collector:
Reads crash dump configuration from registry:
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl- DumpFile valueHKLM\SYSTEM\CurrentControlSet\Control\CrashControl- MinidumpDir value
Catalogs dump files (actual collection of large dumps may be optional)
Records dump file metadata and timestamps
Usage
Crash dumps can reveal system instability issues and rootkit behavior. Investigators use this data to analyze system crash causes, detect rootkit-induced crashes, identify driver bugs or exploitation, analyze kernel memory state, and correlate crashes with malware activity.
Known Limitations
Dumps may not be configured on all systems
Full dumps can be very large (equal to RAM size)
Requires specialized tools for analysis (WinDbg, Volatility)
Not all crashes produce dumps
Notes
Crash dumps can be analyzed with WinDbg or Volatility to understand crash causes. Multiple crashes in short timeframes may indicate rootkit or driver stability issues.
Last updated
Was this helpful?