MANDIANT Memoryze is a sub-set of MANDIANT Intelligent Response (MIR). MIR is an enterprise-grade incident management tool. Memoryze is a memory forensic tool that helps you analyse live memory. It can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.
Memoryze can be can be integrated with other tools to help with incident response. If you are already using EnCase, ie. EnCase Enterprise Edition, you can easily integrate Memoryze with EEE. What makes it even more better is that it can utilize XPath filters and apply them to the data it collects. This allows users to create their own evidence of compromise filter and supply it to Memoryze as part of a script! Using the filter, Memoryze will only report processes that match the criteria. It is an effective tool in combating packed malware as this packed malware is unpacked in the memory, which can then be ‘fed’ into Memoryze and analyzed further. It can be run on a live system or can be used to analyze memory images taken from other machines.
As of now, it performs the following functions:
- image the full range of system memory (not reliant on API calls).
- image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
- image a specified driver or all drivers loaded in memory to disk.
- enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
- report all open handles in a process (for example, all files, registry keys, etc.).
- list the virtual address space of a given process including:
- displaying all loaded DLLs.
- displaying all allocated portions of the heap and execution stack.
- list all network sockets that the process has open, including any hidden by rootkits.
- output all strings in memory on a per process basis.
- identify all drivers loaded in memory, including those hidden by rootkits.
- report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- identify all loaded kernel modules by walking a linked list.
- identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).
It currently supports Windows 2k, 2k3, or XP. Support for Vista and Windows 7 is yet to be added. It also needs Python 2.5 or 2.6 and the wxPython library for Audit ViewerAudit Viewer for Memoryze XML results.
As an added bonus, this tool is a FREEWARE! Download it here.
Related External Links
Searches leading to this post:memoryze tutorial, mandiant memoryze, memoryze mandiant, mandiant memoryze tutorial, mandiant audit viewer, memoryze mandiant tutorial, memoryze malware detection, memoryze portable, audit viewer mandiant download, memoryze processes dd, memoryze use dd image, tutorial memoryze, Windows 7 Memory forensic, memoryze linux, memory forensic, mandiant vs encase -job, audit viewer mandiant intelligent response, forensic memoryze, how to use memoryze for memory analysis, mandiant audit viewer download
You must log in to post a comment.