Forensics Made Easy with Memoryze

Researchers have devised a new more efficient way to glean attacker information from a machine’s physical memory, which often contains valuable bits of information that can help get to the bottom of a breach investigation case.

The new physical memory forensics feature is now part of Mandiant’s free Memoryze tool.

Previous forensics techniques attempted to reduce the number of binaries using so-called pattern-matching. The Mandiant researchers used hashing instead to shrink a large amount of data into known good and known bad chunks — legitimate Windows processes and third-party apps would fall in the “good” category, for example.

Butler and Murdock demonstrated how to generate a hash of a binary from memory that matches the hash on disk. “Using this technique of comparing hashes and eliminating the things we already know about, we can greatly reduce the dataset of things that need to be investigated further,” Butler says.

The bottom line: Attackers leave a bigger memory footprint than they realize.