Friday, April 18, 2008

Windows Memory Analysis

Recently I got the chance to use EnCase Enterprise's ability to acquire physical memory over the network. This is a great feature and it is nice to see that Guidance is starting to catch up with other products that already offered this feature namely Mandiant's Intelligent Response and Techopathway's Pro Discover. I had made an EnScript to parse these data dumps for current and exited processes from XP machines last summer and I have finally got the OK to release it to the public. This EnScript will take a physical memory dump, be it done with either of the aforementioned products or with good old dd and makes bookmarks of the processes data. The bookmarks will list the process id, parent process id, process start time, and process end time. If the process has exited it will display a (X) by the bookmark folder name. I based the XP off the DFRWS memory image and created a Win2K EnScript before the XP one so it is listed here to just in case there are still 2K users out there. The XP EnScript has the option to export the results to an excel file. I will be trying to add future capability to this EnScript so stay tuned and give me feedback on what you would like to see added to it.

Windows Memory Analysis (XP)
Windows Memory Analysis (2K)