Update README.md

Author: evild3ad

README.md

@@ -6,8 +6,9 @@ Collect-MemoryDump.ps1 is PowerShell script utilized to collect a Memory Snapsho
 Features:
 * Checks for Hostname and Physical Memory Size before starting memory acquisition
 * Checks if you have enough free disk space to save memory dump file
-* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture and WinPMEM
+* Collects a Raw Physical Memory Dump w/ DumpIt, Magnet RamCapture, Belkasoft Live RAM Capturer and WinPMEM
 * Collects a Microsoft Crash Dump w/ DumpIt for Comae Beta from Magnet Idea Lab
+* Pagefile Collection w/ [CyLR](https://github.com/orlikoski/CyLR) - Live Response Collection tool by Alan Orlikoski and Jason Yegge
 * Checks for Encrypted Volumes w/ Magnet Forensics Encrypted Disk Detector
 * Collects BitLocker Recovery Key
 * Checks for installed Endpoint Security Tools (AntiVirus and EDR)
@@ -23,54 +24,98 @@ https://www.magnetforensics.com/
 Download the latest version of **Collect-MemoryDump** from the [Releases](https://github.com/evild3ad/Collect-MemoryDump/releases/latest) section.  
 
 ## Usage  
-.\Collect-MemoryDump.ps1 [-Tool] [--skip]
+.\Collect-MemoryDump.ps1 [-Tool] [--Pagefile]
 
 Example 1 - Raw Physical Memory Snapshot  
 .\Collect-MemoryDump.ps1 -DumpIt
 
 Example 2 - Microsoft Crash Dump (.zdmp) → optimized for uploading to [Comae Investigation Platform](https://www.comae.com/)  
 .\Collect-MemoryDump.ps1 -Comae  
 
-Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).
+Note: You can uncompress *.zdmp files generated by DumpIt w/ Z2Dmp (Comae-Toolkit).  
 
-![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/01.png)  
+Example 3 - Raw Physical Memory Snapshot and Pagefile Collection  → [MemProcFS](https://github.com/ufrisk/MemProcFS)  
+.\Collect-MemoryDump.ps1 -WinPMEM --Pagefile  
+  
+![Help-Message](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/01.png)  
 **Fig 1:** Help Message  
 
-![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/02.png)  
+![AvailableSpace](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/02.png)  
 **Fig 2:** Check Available Space
 
-![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/03.png)  
+![DumpIt](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/03.png)  
 **Fig 3:** Automated Creation of Windows Memory Snapshot w/ DumpIt
 
-![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/04.png)  
+![RamCapture](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/04.png)  
 **Fig 4:** Automated Creation of Windows Memory Snapshot w/ Magnet RAM Capture
 
-![SkipCompressing](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/05.png)  
-**Fig 5:** The time-consuming task of compressing the memory snapshot can be skipped (if needed)  
+![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/05.png)  
+**Fig 5:** Automated Creation of Windows Memory Snapshot w/ WinPMEM
 
-![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/06.png)  
-**Fig 6:** Automated Creation of Windows Memory Snapshot w/ WinPMEM
+![Belkasoft](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/06.png)  
+**Fig 6:** Automated Creation of Windows Memory Snapshot w/ Belkasoft Live RAM Capturer
 
-![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/07.png)  
+![Comae](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/07.png)  
 **Fig 7:** Automated Creation of Windows Memory Snapshot w/ DumpIt (Microsoft Crash Dump)
 
-![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/08.png)  
-**Fig 8:** Message Box
+![WinPMEM](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/08.png)  
+**Fig 8:** Automated Creation of Windows Memory Snapshot w/ WinPMEM and Pagefile Collection w/ CyLR
 
-![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/09.png)  
-**Fig 9:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt
+![MessageBox](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/09.png)  
+**Fig 9:** Message Box
 
-![Directories](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/10.png)  
-**Fig 10:** Output Directories
+![SecureArchive](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/10.png)  
+**Fig 10:** Secure Archive Container (PW: IncidentResponse) and Logfile.txt
 
-![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/11.png)  
-**Fig 11:** Memory Snapshot (in a forensically sound manner)
+![OutputDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/11.png)  
+**Fig 11:** Output Directories
 
-![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/64d99221e407893ec3530550404c6d9c849afdf3/Screenshots/12.png)  
-**Fig 12:** Collected System Information
+![MemoryDirectories](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/12.png)  
+**Fig 12:** Memory Directories (WinPMEM and Pagefile)
+
+![Memory](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/13.png)  
+**Fig 13:** Memory Snapshot (in a forensically sound manner)
+
+![Pagefile](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/14.png)  
+**Fig 14:** Pagefile Collection
+
+![SystemInfo](https://github.com/evild3ad/Collect-MemoryDump/blob/3aa95e224d0613681d5cd1baaf3e8a22da40bf68/Screenshots/15.png)  
+**Fig 15:** Collected System Information
+
+## Dependencies  
+7-Zip 22.01 Standalone Console (2022-07-15)  
+https://www.7-zip.org/download.html  
+
+Belkasoft Live RAM Capturer (2018-10-22)  
+https://belkasoft.com/ram-capturer  
+
+DumpIt 3.5.0 (2022-08-02) → Comae-Toolkit  
+https://magnetidealab.com/  
+https://beta.comae.tech/  
+https://www.magnetforensics.com/blog/how-to-get-started-with-comae/  
+
+CyLR 3.0 (2021-02-03)  
+https://github.com/orlikoski/CyLR  
+
+Magnet Encrypted Disk Detector v3.1.0 (2022-06-19)  
+https://www.magnetforensics.com/resources/encrypted-disk-detector/  
+https://support.magnetforensics.com/s/free-tools  
+
+Magnet RAM Capture v1.2.0 (2019-07-24)  
+https://www.magnetforensics.com/resources/magnet-ram-capture/  
+https://support.magnetforensics.com/s/software-and-downloads?productTag=free-tools  
+
+PsLoggedOn v1.35 (2016-06-29)  
+https://docs.microsoft.com/de-de/sysinternals/downloads/psloggedon  
+
+WinPMEM 4.0 RC2 (2020-10-12)  
+https://github.com/Velocidex/WinPmem/releases  
 
 ## Links
+[Belkasoft Live RAM Capturer](https://belkasoft.com/ram-capturer)  
 [Comae-Toolkit incl. DumpIt](https://www.magnetforensics.com/blog/how-to-get-started-with-comae/)  
+[CyLR - Live Response Collection Tool](https://github.com/orlikoski/CyLR)  
+[MAGNET Encrypted Disk Detector](https://www.magnetforensics.com/resources/encrypted-disk-detector/)  
 [MAGNET Ram Capture](https://www.magnetforensics.com/resources/magnet-ram-capture/)  
 [WinPMEM](https://github.com/Velocidex/WinPmem)