Crash Dump Information
Overview
Section titled “Overview”Evidence: Crash Dump Information
Description: Collect information about crash dumps
Category: System
Platform: windows
Short Name: cdi
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”When Windows encounters a critical error (BSOD), it can create crash dump files containing system memory and diagnostic information. These dumps come in different formats:
- Full memory dump (MEMORY.DMP): Complete physical memory
- Kernel dump: Kernel memory only
- Minidumps: Small dumps with essential information
Crash dump locations are configured in the registry under HKLM\SYSTEM\CurrentControlSet\Control\CrashControl.
Data Collected
Section titled “Data Collected”This collector gathers structured data about crash dump information.
Crash Dump Information Data
Section titled “Crash Dump Information Data”| Field | Description | Example |
|---|---|---|
Path | Full path to crash dump | C:\Windows\MEMORY.DMP |
Minidump | Whether this is a minidump | FALSE |
FileModified | Last modified timestamp | 2023-10-15T14:30:00 |
FileAccessed | Last accessed timestamp | 2023-10-15T15:45:00 |
FileCreated | Creation timestamp | 2023-10-15T14:30:00 |
Collection Method
Section titled “Collection Method”This collector:
- Reads crash dump configuration from registry:
HKLM\SYSTEM\CurrentControlSet\Control\CrashControl- DumpFile valueHKLM\SYSTEM\CurrentControlSet\Control\CrashControl- MinidumpDir value
- Catalogs dump files (actual collection of large dumps may be optional)
- Records dump file metadata and timestamps
Forensic Value
Section titled “Forensic Value”Crash dumps can reveal system instability issues and rootkit behavior. Investigators use this data to analyze system crash causes, detect rootkit-induced crashes, identify driver bugs or exploitation, analyze kernel memory state, and correlate crashes with malware activity.