[Error] File Hash does NOT match

[g33k247]

Trying to run Lethal-Forensics to capture RAM on a Windows machine.

Result:

.\Collect-MemoryDump.ps1 -Comae
[Info]  Host Name: LODGE
[Error] File Hash does NOT match.
PS C:\Users\g33k2\git\Collect-MemoryDump-v0.9.1>

Expected:
RAM capture works.

[evild3ad]

It seems that you are using a newer version of DumpIt. The current version is DumpIt v3.6.20220824 (2022-08-24).

You have to edit "Open Collect-MemoryDump.ps1".

1. Dependencies
   Old: DumpIt 3.5.0 (2022-08-02) --> Comae-Toolkit
   New: DumpIt 3.6.20220824 (2022-08-24) --> Comae-Toolkit

2. Hash Values (Whitelisting)
   Update the file hashes for "DumpIt.exe (ARM64)", "DumpIt.exe (x64)" and "DumpIt.exe (x86)".

# DumpIt.exe (ARM64)         MD5: 5F7E26DE885DB542879D5F027A81D6F8   SHA1: 991CC616D92A6A2D9395BECE02CCC0DEBD4F783C   SHA256: D66E1586CF5867E17E1BA0C4B7D65E81FDD77261CF497571005836E606B34A3D
# DumpIt.exe (x64)           MD5: 5B2925A62C90E8B4892E6CA1283501B0   SHA1: 4E27EA88DC4019DFD74B164F53484A3986FB2455   SHA256: 0E04FF80C2EC676E8C36F4961A7FD9F539DA2A87D937C68603329FB58EF0910E
# DumpIt.exe (x86)           MD5: 3E9132FC42365463F41C0AE24F44B709   SHA1: 026172D21371F4027B7100DEE9ED2252FE2B1022   SHA256: FBC7870A77C68DD0172CD8BB7EDC6D40F2ACA1ABBB61A191E6220D23D1745D6C

3. Function New-ComaeSnapshot - Verify File Integrity
   Search for "Function New-ComaeSnapshot "...some lines later you will find "Verify File Integrity".
   Update all three MD5 hash values

# ARM64 or x64 or x86
if (($MD5 -eq "5F7E26DE885DB542879D5F027A81D6F8") -Or ($MD5 -eq "5B2925A62C90E8B4892E6CA1283501B0") -OR ($MD5 -eq "3E9132FC42365463F41C0AE24F44B709"))

I will write a Wiki tutorial for this on the weekend. Please let me know if it works for you. Thank you!

[evild3ad]

Check out: Wiki: How-to-add-or-update-dependencies

[evild3ad]

https://github.com/evild3ad/Collect-MemoryDump/releases/tag/v0.9.2