New Analysis Tools For Windows Memory

Last week I looked at some creative uses of log analysis for detecting malware, and ways to acquire Windows physical memory for analysis. What I've seen time and time again is where those in charge of security don't even bother to log information from their systems and applications, leading them to a much larger incident response scenario than if they could detect it sooner.It's situations like those where the incident process could have been much quicker and less time-consuming had they been regularly performing simple searches on logs to know what's going on within their network. Log analysis is tedious work; I won't deny that, but it can save a lot of headaches later on. Yeah, I know. Enough preaching about logs...let's dig into some of the tools for analyzing those dumps of Windows memory we talked about acquiring on Friday.

So, now that you have an image or direct access to Windows memory, what are you going to do with it? There's a large number of tools that have been released in the last few years to aid with this. Two of my recently updated favorites are HBGary Responder Pro and the tag-team duo of Memoryze and Audit Viewer. There are certainly others, but I find myself going back to them more often lately because they work well, and they support more versions of Windows.

AccessData's Forensic Toolkit (FTK) newest version 3 does deserve an honorable mention because the latest version adds some great memory analysis features not available in previous versions. It also combines analysis of the Windows pagefile and a memory dump for a more complete picture of what's going on. This is something that most other tools do not do with the exception of Responder Pro. Memoryze will use the pagefile, but only during live analysis. There may be some others but I'm not aware of them at this time.

I like Responder Pro because it has really well-laid out interface and will acquire memory, analyze memory, disassemble binaries (executables), record an executable's behavior, and more. It comes with FastDump Pro that will acquire memory and the pagefile in addition to "probing" processes so that parts of memory that have been paged out to the page file will be pushed up into physical memory prior to imaging.

Last week, I was testing a few Zeus executables I pulled from the Zeus Tracker. With Responder's Recon utility, I was able to load the malware and it traced all of the behavior so I could see what modifications were made to the file system, the Windows Registry, and associated network connections. There is a timeline feature that lets you walk through the changes and showed a graph of program execution similar to what you see when you disassemble an executable in IDA Pro. Very cool stuff.

The combination of Mandiant's Memoryze and Audit Viewer is a powerful, free solution for both memory acquisition and analysis. On the analysis front, Audit Viewer provides a GUI to the XML reports generated by Memoryze. It's tabbed interface makes it easy to dig through the results for all processes, files, directories, registry keys, DLLs, strings, ports, and more. There's other features, too, besides the standard memory analysis such as marking processes red that have injected DLLs and the new Malware Rating Index.

Now, you've got the tools to do acquisition and analysis of Windows memory. Go out and start testing the tools to see what fits best for you organization's incident response procedures. Having memory on hand will greatly enhance your ability to determine the who, what, and how of security incident.

John H. Sawyer is a senior security engineer on the IT Security Team at the University of Florida. The views and opinions expressed in this blog are his own and do not represent the views and opinions of the UF IT Security Team or the University of Florida. When John's not fighting flaming, malware-infested machines or performing autopsies on blitzed boxes, he can usually be found hanging with his family, bouncing a baby on one knee and balancing a laptop on the other. Special to Dark Reading.