6.2 Unlinked Threads and Forgotten Stacks Thread stacks often contain function return addresses that point into unloaded modules. By cross-referencing the , an analyst can determine which malicious DLL was present but later erased from disk.
| Feature | User-Minidump (e.g., via MiniDumpWriteDump ) | Kernel-Minidump ( C:\Windows\minidump ) | | :--- | :--- | :--- | | Capture scope | Single process | Kernel address space + active processes | | Required privilege | PROCESS_ALL_ACCESS | SeBackupPrivilege / LocalSystem | | Common use | Malware unpacking, credential dumping | Blue Screen analysis, rootkit detection | | Notable artifact | LSA secrets, browser cookies | IRQL stack trace, interrupt table | minidump file
Scenario: A threat analyst obtains a 4 MB Minidump of a compromised explorer.exe . No full memory capture exists. No full memory capture exists
6.1 Cryptographic Key Recovery A Minidump taken at the right moment—e.g., while a TLS session is active—will contain the ephemeral keys of Schannel or OpenSSL inside the process heap. Tools like dumpcrypt can carve BLOB headers to reconstruct RSA private keys. credential dumping | Blue Screen analysis