Banner 1

Windows Memory Forensics Tools

SANS recently published a good summary of Windows memory forensics acquisition and analysis tools. It’s a good compilation of must have tools for the right occasion.

Aqui hago un resumen de las herramientas, el ingles es basico y se entiende por eso no voy a realizar traduccion xD

Acquisition Tools

The following tools ordered from free to commercial, and they all support newer Windows operating systems including Vista and Server 2003.

  • Mandiant Memoryze (free) screenshot - Mandiant is one of the first companies that comes to mind when I think about incident response. The company is headed up by Kevin Mandia, considered by many to be the father of incident response, and they’ve released free tools like First Response, Web Historian and Red Curtain. Memoryze is based on code from their extremely powerful Mandiant Intelligent Response product, it produces a raw, dd-style dump of memory and doubles as an analysis tool.
  • Mantech Memory DD or MDD (free) screenshot - There isn’t much to say about this other than it works. The output is a raw, dd-style dump of memory.
  • win32dd (free) screenshot - Full-featured memory dumper that dumps to both raw, dd-style and WinDbg-compatible formats. The latter format can be imported into WinDbg for analysis.
  • Guidance Software’s winen.exe (commercial but included in Helix 2.0) screenshot - Dumps memory into an Encase E01 evidence file with the ability to compress the output. To get a raw, dd-style dump, libewf tools or FTK Imager can be used to convert the resulting E01. The version shipping with Encase 6.12 supports SHA-1 hashing.
  • encasephysmem1Guidance Software’s Encase (commercial) - The standalone product allows capture of both physical memory and individual processes from the local machine that Encase Forensic is running on. The screenshot on the right shows what physical memory and the individual processes look like during acquisition.
  • F-Response (commercial) screenshot - Enables remote, read-only access of physical memory. Another imaging tool is required to do the actual imaging (FTK Imager, Encase, dcfldd). Format of dump depends on tool used for acquisition.
  • GMG Systems’ KnTDD (commercial) - I’m mainly mentioning KnTDD for posterity’s sake because it was the first tool for acquiring memory from newer Windows operating systems, but I’ve not seen any news of updates recently.
  • fastdump (free) screenshot - Created by HBGary for use with their Responder Professional tool. It currently doesn’t support newer operating systems, but the company says they will release an updated version soon.

Analysis Tools

The following tools support the raw, dd-style physical memory dumps.

  • Volatility Framework (free) screenshot - Python-based analysis tool with plug-in support like Jesse Kornblum’s recent cryptoscan and suspicious. Works great with the tools above.
  • Mandiant Memoryze (free) - Reads it’s own files and raw, dd-style dumps created by the other tools above. There is a slight focus towards malware detection and output is in XML. See Rob’s blog post for examples of using Memoryze for analysis.
  • HBGary Responder (commercial) - Very powerful tool for memory analysis and automated reverse engineering of malware. Guidance Software is now a reseller and partner. Encase Forensic’s Memory Analyzer EnScript exports physical memory out into a raw, dd-style dump with the .bin extension for analysis by Responder.
  • memoryanalyzerEncase Forensic (commercial) - By itself, the standalone version of Encase does not have direct analysis capabilities without having HBGary Responder installed, but several EnScripts exist for examining memory dumps. The screenshot to the right show some of the available EnScritps that will be discussed in a later blog post.
Si quieren ver el post original aqui les dejo el link :D

SANS forensics

Saludos




No hay comentarios:

Powered by Bad Robot
Helped by Blackubay