Monday, February 22, 2010

Analyzing RAM Dumps

After talking to several colleagues about RAM dump analysis, I found that it's not quite as common as I thought it was. So, I will give y'all the down and dirty on analyzing RAM dumps with Mandiant's Memoryze and Audit Viewer.

First, you have to download an install Python for Windows. Once you have that, go to the Mandiant page, and download both Memoryze and Audit Viewer. Install Memoryze, and then create a directory for Audit Viewer. This tool is stand alone and does not require installation.

Now, provided you have a RAM dump...which can be obtained using a variety of are a few:

MDD (although no londer supported)
FTK Lite v2.6.1
HBGary's FastDump Pro
*Memoryze will also dump RAM but you have to install it on the target machine that you have a RAM dump, and your analysis tools installed, here is the short version of how you launch Memoryze. Note...there is a full readme file that comes with Memoryze, and I highly recommend reading it. What I am providing here is a quick how to.

From the cmd line, navigate to the Memoryze directory...

process.bat -input -handles true -strings true -imports true -exports true -sections true -ports true -injected true -output

This will chug for quite a while depending on the s
ize of the RAM dump, how many processes were running on the target host, and how much data in there to process. Once it finishes, it will create a file in the output path called, "Audits". In there, you will find a second file with the date, and in there, a third file with your username. This file contains the .xml output of Memoryze.

Now, to open and view the audit file, kidding...use Audit Viewer. Simply double click on the Audit Viewer icon, and select "open existing results". From there, you Browse to the folder containing the .xml output, and click Next and then Finish. This will process for a few minutes as all of the data is read. When it finishes you will get so
mething that looks like this...

To review the information about any give process, simply double click on that process name in the left hand column. you have your RAM dump open and you are ready to analyze the data. What are you looking for? That my friends, will be discussed in my next post. Until then, enjoy using Memoryze and Audit Viewer...GREAT tools...thanks Mandiant!


  1. Memoryze can acquire ram without being installed. Take the files from the Memoryze installation folder and they can be used from a USB without an installation. Using Memoryze to process the memory on the live system will also generate a MRI scoring for all process not just the processes matching the current MRI rule set.

  2. TK...yes...that is a great feature, but doesn't that require you to install Memoryze on the target system? Most customers don't want me installing stuff on their systems. If there is a way to run it from a DVD/CD or USB drive I would love to have the MRI scoring feature.

  3. Figured out how this worked! New blog posting shows you how to do it. Thanks for the heads up Rob!

  4. When I run Audit Viewer, open existing results, and point to the BatchResults.xml file, then execute, I get WindowsError [Error 267] The directory name is invalid. I am not sure why I am getting this error since I am pointing to the correct location? Please help!

  5. James...not sure what would cause this error. Are you using the most recent version of Memoryze? This could be a code flaw that Jamie Butler fixed in the most recent version. Also, have you tried actually typing in the full path to the .xml file rather than using the GUI navigation pane? Were you ever able to view the results, or did you get to see them when you initially ran the tool and then cannot open it later?

  6. Please list some alternative dump analysis tools.