I'm a big proponent of live incident response and forensic analysis, and as such, I've been following the windows memory analysis field of research closely for the last 3 years. There have been leaps and bounds made over the last year with the release of many great acquisition and analysis tools; however, there are caveats that must be taken into consideration before simply inserting these tools into your investigations. You must know what you're doing, how the tools you're using will impact the system and be able to explain those things to others, whether they be peers or jurors.
Acquisition Tools
The following tools ordered from free to commercial, and they all support newer Windows operating systems including Vista and Server 2003.
- Mandiant Memoryze (free) - Mandiant is one of the first companies that comes to mind when I think about incident response. The company is headed up by Kevin Mandia, considered by many to be the father of incident response, and they've released free tools like First Response, Web Historian and Red Curtain. Memoryze is based on code from their extremely powerful Mandiant Intelligent Response product, it produces a raw, dd-style dump of memory and doubles as an analysis tool.
- Mantech Memory DD or MDD (free) - There isn't much to say about this other than it works. The output is a raw, dd-style dump of memory.
- win32dd (free) - Full-featured memory dumper that dumps to both raw, dd-style and WinDbg-compatible formats. The latter format can be imported into WinDbg for analysis.
- Guidance Software's winen.exe (commercial but included in Helix 2.0) - Dumps memory into an Encase E01 evidence file with the ability to compress the output. To get a raw, dd-style dump, libewf tools or FTK Imager can be used to convert the resulting E01. The version shipping with Encase 6.12 supports SHA-1 hashing.
- Guidance Software's Encase (commercial) - The standalone product allows capture of both physical memory and individual processes from the local machine that Encase Forensic is running on. The screenshot on the right shows what physical memory and the individual processes look like during acquisition.
- F-Response (commercial) - Enables remote, read-only access of physical memory. Another imaging tool is required to do the actual imaging (FTK Imager, Encase, dcfldd). Format of dump depends on tool used for acquisition.
- GMG Systems' KnTDD (commercial) - I'm mainly mentioning KnTDD for posterity's sake because it was the first tool for acquiring memory from newer Windows operating systems, but I've not seen any news of updates recently.
- fastdump (free) - Created by HBGary for use with their Responder Professional tool. It currently doesn't support newer operating systems, but the company says they will release an updated version soon.
Analysis Tools
The following tools support the raw, dd-style physical memory dumps.
- Volatility Framework (free) - Python-based analysis tool with plug-in support like Jesse Kornblum's recent cryptoscan and suspicious. Works great with the tools above.
- Mandiant Memoryze (free) - Reads it's own files and raw, dd-style dumps created by the other tools above. There is a slight focus towards malware detection and output is in XML. See Rob's blog post for examples of using Memoryze for analysis.
- HBGary Responder (commercial) - Very powerful tool for memory analysis and automated reverse engineering of malware. Guidance Software is now a reseller and partner. Encase Forensic's Memory Analyzer EnScript exports physical memory out into a raw, dd-style dump with the .bin extension for analysis by Responder.
- Encase Forensic (commercial) - By itself, the standalone version of Encase does not have direct analysis capabilities without having HBGary Responder installed, but several EnScripts exist for examining memory dumps. The screenshot to the right show some of the available EnScritps that will be discussed in a later blog post.
If you haven't downloaded and tested all of the free tools above, it's time to update and retool because the available options above are powerful, maturing quickly and can help with today's memory resident-only threats and finding those bits of information that never made it to the disk. Take the time to spend a few moments in front of each of the tools to see what they do and how you can fit them into your incident response and forensic procedures.
John Sawyer, GCFA #0257 also currently holds the GCIH and CISSP certifications. He is a Senior Security Engineer on the University of Florida IT Security Team and specializes in intrusion detection, incident response, digital forensics, vulnerability assessment and penetration testing.
