Forensic Tools logo
    • Home
    • Forensic Tools
    • Insights
    Sign in or Register

    Memoryze

    • Website
    • Profile
    • reviews 0
    • prev
    • next
    • Bookmark
    • Share
    • Leave a review
    • prev
    • next
    Gallery
    Memoryze audit FireEye Memoryze Logo
    Description

    Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.

    MANDIANT Memoryze, formerly known as MANDIANT Free Agent, is a memory analysis tool. Memoryze can not only acquire the physical memory from a Windows system but it can also perform advanced analysis of live memory while the computer is running. All analysis can be done either against an acquired image or a live system.

    MANDIANT Memoryze can:

    • image the full range of system memory (not reliant on API calls).
    • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
    • image a specified driver or all drivers loaded in memory to disk.
    • enumerate all running processes (including those hidden by rootkits). For each process,
      Memoryze can:
      o report all open handles in a process (for example, all files, registry keys, etc.).
      o list the virtual address space of a given process including:

        • displaying all loaded DLLs.
        • displaying all allocated portions of the heap and execution stack
      • list all network sockets that the process has open, including any hidden by rootkits.
      • specify the functions imported by the EXE and DLLs.
      • specify the functions exported by the EXE and DLLs.
      • hash the EXE and DLL in the process address space. (This is a MemD5 of the binary in memory.
      •  hash the EXE and DLLs in the process address space. (MD5, SHA1, SHA256. This is disk based.)
      • verify the digital signatures of the EXE and DLLs. (This is disk based.)
      • output all strings in memory on a per process base.
    • identify all drivers loaded in memory, including those hidden by rootkits. For each driver,
      Memoryze can:
      o specify the functions the driver imports.
      o specify the functions the driver exports.
      o hash the driver. (MD5, SHA1, SHA256. This is disk based.)
      o verify the digital signature of the driver. (This is disk based.)
      o output all strings in memory on a per driver base.
    • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
    • identify all loaded kernel modules by walking a linked list.
    • identify hooks - often used by rootkits - in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

    MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools. However, not all data will be available when working with memory images such as digital signatures and hashes.

    Technical Specifications
    • Supported Platforms
      Windows
    • Supported Sources
      Windows, Server, Memory
  • No comments yet.
    • Add a review

    Leave a Reply · Cancel reply

    You must be logged in to post a comment.

    You May Also Be Interested In

    Memdump

    MAGNET Process Capture

    Volatility

    • About Us
    • Privacy Policy
    • Contact Us

    © 2024 – Lexeprint Inc.

    Cart

      • Facebook
      • Twitter
      • WhatsApp
      • Telegram
      • LinkedIn
      • Tumblr
      • VKontakte
      • Mail
      • Copy link
      Manage Consent
      To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
      Functional Always active
      The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
      Preferences
      The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
      Statistics
      The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
      Marketing
      The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
      • Manage options
      • Manage services
      • Manage {vendor_count} vendors
      • Read more about these purposes
      View preferences
      • {title}
      • {title}
      • {title}

      Subscribe to Our Newsletter!

      * indicates required






      Please select all the ways you would like to hear from :


      You can unsubscribe at any time by clicking the link in the footer of our emails. For information about our privacy practices, please visit our website.

      We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.