We have talked about performing forensic analysis on your memory, registry and what-not all through and recently here when we blogged about Mandiant Memoryze. Today, we are going to talk about another exciting tool – Mantech Memory DD.
Mantech Memory DD is an open source memory acquisition tool which is meant to be run on Windows platforms, Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008 to be precise. It supports both 32 bit & 64 bit systems.
It acquires a forensic image of physical memory and stores it as a raw binary file. This image is then checked by the Message-Digest algorithm 5 (MD5), to verify data integrity. You can sometimes also retrieve chat sessions, which will reside in the memory even after a system reboot. The best use of a memory acquisition software is perhaps its implementation in acquire encryption keys for disk encryption utilities can often be recovered from physical memory. It can also aide in malware analysis or reverse engineering by allowing you to capture the a root-kit/backdoor/trojan executable which can then be analyzed by other tools to identify that the system is compromised. Mantech Memory DD can copy up to 4 GB of memory to a file for later analysis. Once this data is acquired, you can use other tools to process information.
Give this tool a try! You can download it here. Just remember that you must run the tool as Administrator. Also, the mdd pre-built binary is packaged with 32-bit and 64-bit drivers. The packaged drivers are capable of imaging versions of Windows from 2000 to 32-bit Vista and Server 2008. 64-bit Vista and Server 2008 require a signed driver file. To image these versions of Windows, build and sign the mdd.sys file and place it in the same directory as the mdd.exe file. When you run mdd, it will detect the mdd.sys file in the same directory and load that driver instead of either of the built-in ones. MDD will attempt to load the mdd.sys file, if found, regardless of the actual operating system and bitness.
Related External Links
Searches leading to this post:mantech memory dd, memory dd, mantech mdd, mandiant dd, mantech dd, Mantech Memory, Man Tech Memory DD, ManTech Memory DD (MDD), mantech mdd 64 bit system, ManTech download, Mdd mantech, mantech memory acquisition, Mantech Memory DD o MDD, forensic ram capture, tool to grab memory for test on windows 2000, dd memory, mdd mandiant, windows memory capture, windows process memory capture, mdd forensics mantech
You must log in to post a comment.