Comparison of Memory Forensic Tools

Currently, we have some options when analyzing memory images. Mandiant released Redline, that is the replacement of Audit Viewer. HBGary distributed Responder Community Edition at CEIC, and Volatility Framework 2.0 was released a few days ago. I tested them including my EnScript and consider their capabilities and limitations 


If you are a beginner about memory forensics, I recommend Redline without question. Redline supports all 32-bit/64-bit Windows versions and the user interface is graphical. 

Besides, Redline has an significant feature called Malware Risk Index (MRI) that detects malicious processes. Responder CE is also a GUI tool and supports all versions and architectures, but it limits an image size to 6GB and has no function like MRI.

Redline and Responder can detect unlinked kernel objects caused by DKOM. On the flip side, they cannot extract terminated processes and closed network connections. Therefore, I think HBGary and Mandiant don’t implement Object Fingerprint Search method. Some modules of Volatility Framework (*scan modules) carve kernel objects by searching pooltag in pool headers, so Volatility can recover dead process information, closed sockets, unloaded kernel drivers, and so on. EnScript also can do that because its code is based on Volatility.

Volatility Framework can parse 3 format images (raw/crash dump/hibernation). It’s useful for acquiring volatile data from power-off laptops. Additionaly, Volatility Framework is open source and many developers join the community. However, Volatility Framework now supports only 32-bit architecture. I hope Volatility will support 64-bit machines. 

EnScript CDA (Crash Dump Analyzer)  extract  volatile info from x64 memory images and EnScript has multilingual keyword search/detecting similar process (by entropy) functions, but the total ability is slightly poor as compared to other tools because I’m lazy. 

There is no perfect tool. Investigators should analyze RAM by a combination of some tools. Primarily, use Redline. If you want to extract freed objects such as terminated process and closed TCP connection, use Volatility Framework/EnScript. If you examine Windows 7 or Server 2008 images, you should validate network connection information by using multiple tools because some tools occasionally miss connection objects.

By the way, Moonsols converting tools like bin2dmp/dmp2bin sometimes cannot work. So when you acquire memory image, I recommend you acquire multiple format images (raw/crashdump). In my experience, it seems to happen in case of Windows 7/2008 x64 images.


0 意見: