With Memoryze 3.0, the folks at Mandiant hit their mid-summer goal to roll out memory analysis support for Windows 8 (x86 and x64) and Server 2012 (x64). While support has not yet been rolled into Redline collector scripts, data collected by Memoryze can be loaded and analyzed in the Redline interface. This is no real surprise since Memoryze is the back-end collection and analysis tool that Redline relies upon.
You can dump Windows memory and process your memory image with the following commands (run MemoryDD.bat from a removable device and Process.bat on your forensic box):
MemoryDD.bat -output E:\\
Process.bat -input memory.img -handles true -sections true -ports true -imports true -exports true -injected true -strings true
To perform live memory analysis and take advantage of capabilities like ...
A key component of any investigation is the type of data exfiltrated. If sensitive data is on a compromised machine, risk is increased significantly. Also, there is a patch work of legislation covering various types of data which is considered sensitive (http://www.reyrey.com/regulations/). In general, social security and credit card numbers are at the top of the concern list. Since many states have encryption exemptions, a forensicator needs to know, does any media storage in the case have sensitive data in the clear?
Data can be encrypted by system administrators/DBAs or by attackers. Attackers usually encrypt data as part of the staging process prior to data exfiltation. Attackers commonly password protected and compressed the data as a .rar file. With strong passwords (32+ character pass-phrases) .rar files can be difficult to almost impossible to open with normal computing power.
Using a cross
More than 450 participants completed the SANS 2013 Digital Forensics Survey, conducted online during April
and May 2013. A primary goal of this survey was to identify the nontraditional areas where digital forensics
techniques are used. The survey can be downloadedHERE.
A webcast introducing the Survey earlier this month can be found here: https://www.sans.org/webcasts/digital-forensics-modern-times-survey-96645
The survey written by Paul Henry, Jacob Williams, and Benjamin Wright.
In the survey 54% of respondents indicated
Like many of you, I have been watching the development of memory forensics over the last two years with a sense of awe. It is amazing how far the field has come since the day Chris Betz, George Garner and Robert-Jan Moral won the 2005 DFRWS forensics challenge. Of course, similar to other forensic niches, the majority of progress has been made on Windows memory forensics. There is good reason for this. Memory can be extremely fickle, with layouts and structures changing on a whim. As an example, the symbols file for Windows 7 SP1x86 is 330MB, largely due to it needing to support major changes that can occur in every service pack and patch. The fact that we have free tools such as Volatile Systems Volatilityand Mandiant
Through July 11, 2013 you can receive a 11" 128GB MacBook Air (just-announced newest model), Toshiba Satellite U925T-S2120 Ultrabook Convertible, or an $850 discount when you register and pay for a qualifying *vLive or OnDemand course!