Memory forensic tool

2010/07/27 17:14 張貼者: Mr.J 標籤: ,


MANDIANT Memoryze is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis.

MANDIANT Memoryze features:
  • image the full range of system memory (not reliant on API calls).
  • image a process’ entire address space to disk. This includes a process’ loaded DLLs, EXEs, heaps, and stacks.
  • image a specified driver or all drivers loaded in memory to disk.
  • enumerate all running processes (including those hidden by rootkits). For each process, Memoryze can:
    • report all open handles in a process (for example, all files, registry keys, etc.).
    • list the virtual address space of a given process including:
      • displaying all loaded DLLs.
      • displaying all allocated portions of the heap and execution stack.
    • list all network sockets that the process has open, including any hidden by rootkits.
    • specify the tunctions imported by the EXE and DLLs.
    • specify the functions exported by the EXE and DLLs.
    • hash the EXE and DLLs in the process address space> (MD5, SHA1, SHA256.  This is disk based.)
    • verify the digital signatures of the EXE and DLLs. (This is disk based.)
    • output all strings in memory on a per process basis.
  • identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
    • specify the functions the driver imports.
    • specify the functions the driver exports.
    • hash the driver. (MD5, SHA1, SHA256. this is disk based.)
    • verify the digital signature of the driver (This is disk based.)
    • output all strings in memory on a per driver base.
  • report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
  • identify all loaded kernel modules by walking a linked list.
  • identify hooks (often used by rootkits) in the System Call Table, the Interrupt Descriptor Tables (IDTs), and driver function tables (IRP tables).

    MANDIANT Memoryze can perform all these functions on live system memory or memory image files – whether they were acquired by Memoryze or other memory acquisition tools. 
    Memoryze supports analysis of the following operating systems:
    • Windows 2000 Service Pack 4
    • Windows XP Service Pack 2 and and Service Pack 3 (32-bit)
    • Windows 2003 Service Pack 2 (32-bit)
    • Windows Vista Service Pack 1 and Service Pack 2 (32-bit)
    • Windows 2003 Service Pack 2 (64-bit)
    In order to visualize Memoryze's output, please download Audit Viewer.  Audit Viewer is an open source tool that allows users to examine hte results of Memoryze's analysis.  Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format.  Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.
    Check out the ways you can use Memoryze. 
    And, if you like Memoryze's standalone capabilities, check out MANDIANT Intelligent Response. It's our enterprise-grade incident response accelerator. MIR has all the memory forensics of Memoryze, plus a lot more... making enterprise live response faster and easier, especially for teams of responders. Imagine Memoryze doing deep memory forensics on thousands of machines at a time, then having the results easily searchable to find where evil is hiding across your enterprise. Then add disk analysis and live response. That's Intelligent Response.




    下載&簡介

     

    0 意見:

    訂閱: 張貼留言 (Atom)