SANS Digital Forensics and Incident Response Blog: Tag - Memoryze

Extracting Event Logs or Other Memory Mapped Files from Memory Dumps

Since Windows Event Logs are actually mapped into the memory space of the services.exe process, it's relatively simple, now that appropriate analysis tools such as Memoryze/Auditviewer from Mandiant, or Volatility from Volatile Systems are available, to extract them from a memory dump for analysis. This can come in quite handy if the data from the HD is unavailable for some reason.

You can do this in either Volatility or in Auditviewer. I'll cover the Volatility method to start. (If you need to get and install Volatility from scratch, I recommend Jamie


Digital Forensics How-To: Memory Analysis with Mandiant Memoryze

Mandiant's Memoryze tool is without question one of the best forensic tools available. It is an incredibly powerful memory analysis suite that should be part of every incident responder's toolkit. It's free, but requires some patience to traverse the learning curve. Memoryze was built by Jamie Butler and Peter Silberman, a couple of hardcore memory / malware analysts that operate on a completely different level than most of us mere mortals. In this post I'll cover how to get started with Memoryze, because if you haven't added memory analysis to your intrusion investigations, there is a whole lot of evil out there that you are missing.

Getting Started

The first step is to go out and download the tool. An important thing to keep in mind is that Memoryze actually consists of two components: Memoryze and Audit Viewer. Each must be downloaded individually from the free tools section of the Mandiant

Windows Physical Memory: Finding the Right Tool for the Job

I'm a big proponent of live incident response and forensic analysis, and as such, I've been following the windows memory analysis field of research closely for the last 3 years. There have been leaps and bounds made over the last year with the release of many great acquisition and analysis tools; however, there are caveats that must be taken into consideration before simply inserting these tools into your investigations. You must know what you're doing, how the tools you're using will impact the system and be able to explain those things to others, whether they be peers or jurors.

I also believe in having more than one "right" tool for the job as it gives me choices as I conduct an investigation and it provides validation that each tool is doing what it should. Below is a comprehensive list of available tools accompanied by screenshots

Memory Forensic Acquisition and Analysis 101

Stop Pulling The Plug!!


Over the past several years, many tools have been released that have focused on memory acquisition from Windows systems. The next step in memory forensics is analysis.Starting with the DFRWS 2005 challenge, memoryforensic analysis began a life that went beyond a rudimentary string search or data carve.Analysts were finally able to extract process related data from memory captured from a machine.

In 2008, this culminated with manyprofessionals stating at the SANS Forensic Summit that the day of "pulling the plug" during evidence