Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools.
MANDIANT Memoryze, formerly known as MANDIANT Free Agent, is a memory analysis tool. Memoryze can not only acquire the physical memory from a Windows system but it can also perform advanced analysis of live memory while the computer is running. All analysis can be done either against an acquired image or a live system.
MANDIANT Memoryze can:
- image the full range of system memory (not reliant on API calls).
- image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
- image a specified driver or all drivers loaded in memory to disk.
- enumerate all running processes (including those hidden by rootkits). For each process,
Memoryze can:
o report all open handles in a process (for example, all files, registry keys, etc.).
o list the virtual address space of a given process including:
-
- displaying all loaded DLLs.
- displaying all allocated portions of the heap and execution stack
- list all network sockets that the process has open, including any hidden by rootkits.
- specify the functions imported by the EXE and DLLs.
- specify the functions exported by the EXE and DLLs.
- hash the EXE and DLL in the process address space. (This is a MemD5 of the binary in memory.
- hash the EXE and DLLs in the process address space. (MD5, SHA1, SHA256. This is disk based.)
- verify the digital signatures of the EXE and DLLs. (This is disk based.)
- output all strings in memory on a per process base.
- identify all drivers loaded in memory, including those hidden by rootkits. For each driver,
Memoryze can:
o specify the functions the driver imports.
o specify the functions the driver exports.
o hash the driver. (MD5, SHA1, SHA256. This is disk based.)
o verify the digital signature of the driver. (This is disk based.)
o output all strings in memory on a per driver base.
- report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- identify all loaded kernel modules by walking a linked list.
- identify hooks - often used by rootkits - in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).
MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools. However, not all data will be available when working with memory images such as digital signatures and hashes.
Add a review