SANS Digital Forensics and Incident Response Blog

Windows Physical Memory: Finding the Right Tool for the Job

I'm a big proponent of live incident response and forensic analysis, and as such, I've been following the windows memory analysis field of research closely for the last 3 years. There have been leaps and bounds made over the last year with the release of many great acquisition and analysis tools; however, there are caveats that must be taken into consideration before simply inserting these tools into your investigations. You must know what you're doing, how the tools you're using will impact the system and be able to explain those things to others, whether they be peers or jurors.

I also believe in having more than one "right" tool for the job as it gives me choices as I conduct an investigation and it provides validation that each tool is doing what it should. Below is a comprehensive list of available tools accompanied by screenshots screenshot (where available). Note: Enterprise solutions like AccessData Enterprise, Encase Enterprise and Mandiant Intelligent Response are not included in this list.

Acquisition Tools

The following tools ordered from free to commercial, and they all support newer Windows operating systems including Vista and Server 2003.

  • Mandiant Memoryze (free) screenshot - Mandiant is one of the first companies that comes to mind when I think about incident response. The company is headed up by Kevin Mandia, considered by many to be the father of incident response, and they've released free tools like First Response, Web Historian and Red Curtain. Memoryze is based on code from their extremely powerful Mandiant Intelligent Response product, it produces a raw, dd-style dump of memory and doubles as an analysis tool.
  • Mantech Memory DD or MDD (free) screenshot - There isn't much to say about this other than it works. The output is a raw, dd-style dump of memory.
  • win32dd (free) screenshot - Full-featured memory dumper that dumps to both raw, dd-style and WinDbg-compatible formats. The latter format can be imported into WinDbg for analysis.
  • Guidance Software's winen.exe (commercial but included in Helix 2.0) screenshot - Dumps memory into an Encase E01 evidence file with the ability to compress the output. To get a raw, dd-style dump, libewf tools or FTK Imager can be used to convert the resulting E01. The version shipping with Encase 6.12 supports SHA-1 hashing.
  • encasephysmem1Guidance Software's Encase (commercial) - The standalone product allows capture of both physical memory and individual processes from the local machine that Encase Forensic is running on. The screenshot on the right shows what physical memory and the individual processes look like during acquisition.
  • F-Response (commercial) screenshot - Enables remote, read-only access of physical memory. Another imaging tool is required to do the actual imaging (FTK Imager, Encase, dcfldd). Format of dump depends on tool used for acquisition.
  • GMG Systems' KnTDD (commercial) - I'm mainly mentioning KnTDD for posterity's sake because it was the first tool for acquiring memory from newer Windows operating systems, but I've not seen any news of updates recently.
  • fastdump (free) screenshot - Created by HBGary for use with their Responder Professional tool. It currently doesn't support newer operating systems, but the company says they will release an updated version soon.

Analysis Tools

The following tools support the raw, dd-style physical memory dumps.

  • Volatility Framework (free) screenshot - Python-based analysis tool with plug-in support like Jesse Kornblum's recent cryptoscan and suspicious. Works great with the tools above.
  • Mandiant Memoryze (free) - Reads it's own files and raw, dd-style dumps created by the other tools above. There is a slight focus towards malware detection and output is in XML. See Rob's blog post for examples of using Memoryze for analysis.
  • HBGary Responder (commercial) - Very powerful tool for memory analysis and automated reverse engineering of malware. Guidance Software is now a reseller and partner. Encase Forensic's Memory Analyzer EnScript exports physical memory out into a raw, dd-style dump with the .bin extension for analysis by Responder.
  • memoryanalyzerEncase Forensic (commercial) - By itself, the standalone version of Encase does not have direct analysis capabilities without having HBGary Responder installed, but several EnScripts exist for examining memory dumps. The screenshot to the right show some of the available EnScritps that will be discussed in a later blog post.

If you haven't downloaded and tested all of the free tools above, it's time to update and retool because the available options above are powerful, maturing quickly and can help with today's memory resident-only threats and finding those bits of information that never made it to the disk. Take the time to spend a few moments in front of each of the tools to see what they do and how you can fit them into your incident response and forensic procedures.

John Sawyer, GCFA #0257 also currently holds the GCIH and CISSP certifications. He is a Senior Security Engineer on the University of Florida IT Security Team and specializes in intrusion detection, incident response, digital forensics, vulnerability assessment and penetration testing.

3 Comments

Posted December 20, 2008 at 9:01 PM | Permalink | Reply

rsreese

Very nice list. I will definitely have to hold on to this link''.

Posted January 3, 2009 at 10:25 PM | Permalink | Reply

kleanchap

Thank you for this list! I have tried to Helix but it did not work. Right now I am downloading the latest version of Helix probably that will do it. However, the tools you listed are a big help.
To run these tools from a USB drive, would I need a U3 device?
Thank you once again.

Posted January 4, 2009 at 6:20 PM | Permalink | Reply

keydet89

kleanchap,
> To run these tools from a USB drive, would I need a U3 device?
I'm sure it may depend on the tool, but for the most part, I can't think of a reason why you WOULD need a U3 device''