Forensics Header

What Is a Crash Dump?

When Windows encounters a critical system error (often called a Blue Screen), it can write a memory dump file to disk. These files contain information about what the system was doing at the moment of the crash. We have another guide on analysing and debugging crash dumps, which you can read here: Blue Screen of Death - What It Actually Means

Where Dump Files Are Stored

Common locations include:
  • C:\Windows\MEMORY.DMP
  • C:\Windows\Minidump

What Investigators Can Learn

Crash dumps may reveal:
  • The driver that caused the crash
  • Loaded kernel modules
  • Active processes
  • Memory state at failure

Types of Dump Files

Type Description
Small dump Minimal crash information
Kernel dump Kernel memory contents
Complete dump Entire system memory

Do note that complete dumps can be very large and may not always be generated by default.

How Do I Change Dump Settings?

You can adjust dump settings here:
  1. Open Settings
  2. Nagivate to System
  3. Click on Advanced System Settings
  4. Click on Settings in Startup and Recovery
  5. Change by clicking the dropdown under Write debugging information

Why This Matters in Forensics

If malware caused a system crash, memory dumps may contain traces of the malicious code. Even when the malware disappears after reboot, the dump file might still hold evidence. Do not delete dump files before they have been analyzed, as they can be crucial for understanding the cause of the crash and any potential security breaches.