Create memory dump remotely:
Ref. http://kromer.pl/malware-analysis/memoryforensics-using-volatility-toolkit-to-extractmalware-samples-from-memory-dump/ Ref. http://sourceforge.net/projects/mdd/ Ref. https://technet.microsoft.com/enus/sysinternals/psexec.aspx
C: \\> psexec.exe \\\\<HOST NAME OR IP ADDRESS> -u <DOMAIN>\\<PRIVILEGED ACCOUNT> -p <PASSWORD> -c mdd_1.3.exe --o C:\\memory.dmp
Ref. https://github.com/volatilityfoundation/volatility
Extract exe/dll from memory dump:
C:\\> volatility dlldump -f memory.dmp -0 dumps/
C:\\> volatility procmemdump -f memory.dmp -0 dumps/
Create hard drive image using dc3dd of C:\:
Ref.https://sourceforge.net/projects/dc3dd/files/dc3dd/7.2 - Windows/
C:\\> dc3dd.exe if=\\\\.\\c: of=d:\\<ATTACHED OR TARGET
DRIVE>\\<IMAGE NAME>.dd hash=md5 log=d:\\<MOUNTED
LOCATION>\\<LOG NAME>.log