First, I copied the contents of C:\Program Files\Mandiant\Memoryze and the contents of C:\Audit_Viewer into a single folder on my thumb drive called F:\Memoryze.
Next, I launched Audit Viewer by double clicking on the AuditViewer icon and selected “configure memory” and clicked “Next”. Then, I set my paths to memorize, and my output results as seen below and clicked “Next”.
From there, I chose to “Acquire Live Memory” and clicked “Next”, and then I chose only “Process Enumeration” and clicked “Next”. Then, I chose “Memory Acquisition” and clicked “Next”. The following screen simply showed my options, which read, “Process Enumeration” and “Memory Acquisition”. From there, I selected the information I wanted to enumerate from the memory.
Based on trial and error (and according to Rob), I learned to select all of the options EXCEPT for “Strings in memory”. Doing this against a live memory acquisition will lead to Audit Viewer running for a very, very long time…in excess of 12 hours long (I know this b/c I tried it and I finally killed the process at 12 hours!). From this screen, just click “Next” followed by “Finish” and your acquisition will begin, and looks like this…
I ran this on my local XP system, which as 4 GB of memory, and the entire process took about 15 minutes. It’s a Dell D620 with an Intel Core2 T7600 2.33 Ghz CPU…so nothing super fast.
Next, I will cover what your RAM dump will likely look like, what is an MRI anyway, and what you should look for in terms of compromise indicators.