First, you have to download an install Python for Windows. Once you have that, go to the Mandiant page, and download both Memoryze and Audit Viewer. Install Memoryze, and then create a directory for Audit Viewer. This tool is stand alone and does not require installation.
Now, provided you have a RAM dump...which can be obtained using a variety of tools...here are a few:
MDD (although no londer supported)
FTK Lite v2.6.1
HBGary's FastDump Pro
*Memoryze will also dump RAM but you have to install it on the target machine
OK...now that you have a RAM dump, and your analysis tools installed, here is the short version of how you launch Memoryze. Note...there is a full readme file that comes with Memoryze, and I highly recommend reading it. What I am providing here is a quick how to.
From the cmd line, navigate to the Memoryze directory...
This will chug for quite a while depending on the s
Now, to open and view the audit file, you...no kidding...use Audit Viewer. Simply double click on the Audit Viewer icon, and select "open existing results". From there, you Browse to the folder containing the .xml output, and click Next and then Finish. This will process for a few minutes as all of the data is read. When it finishes you will get so
To review the information about any give process, simply double click on that process name in the left hand column.
So...now you have your RAM dump open and you are ready to analyze the data. What are you looking for? That my friends, will be discussed in my next post. Until then, enjoy using Memoryze and Audit Viewer...GREAT tools...thanks Mandiant!