Memoryze This

At the Hack in the Box security conference in Malaysia Wednesday, Mandiant’s Peter Silberman announced the release of Mandiant’s newest free tool for incident response and forensic investigations. The tool, Memoryze, is the latest memory analysis tool for first responders to consider adding to their toolkit for acquiring physical memory from running Windows systems. This summer, we saw the release of several other tools to do the same thing, but they stopped short at providing the ability to acquire a forensic image (or copy) of physical memory. Memoryze goes further and provides advanced analysis capabilities of both physical memory from live, running Windows systems and memory images previously acquired from running systems.

I spent a couple hours working with Memoryze in the wee hours of this morning and found it to be quite powerful. It acquires memory quickly and writes it in a raw format that can be read by the other memory analysis tools like the Volatility Framework. I tested Memoryze's ability to read physical memory images acquired by itself, Mantech’s mdd, Guidance Software's winen and win32dd. Note: For winen, I had to convert Encase format to a raw dd format using FTK Imager first. I didn't have any problems analyzing all four images acquired by the various tools. Additionally, I tested Volatility with similar success.