Memoryze

Mandiant Memoryze (formerly known as Mandiant Free Agent) is a free memory analysis utility that can not only acquire the physical memory from a Microsoft Windows system, but it can also perform advanced analysis of live memory while the computer is running. All analysis can be done either against an acquired image or a live system.

XML Scripts

Memoryze takes XML documents that define what to do, and Memoryze then outputs the result in XML format. The user can configure the individual parameters within each execution script in order to perform the desired actions.
Several default execution scripts are provided with Memoryze’s installation. These scripts include:
AcquireDriver.Batch.xml
AcquireMemory.Batch.xml
AcquireProcessMemory.Batch.xml
DriverAuditModuleList.Batch.xml
DriverAuditSignature.Batch.xml
ProcessAuditMemory.Batch.xml
RootkitAudit.Batch.xml
Each script’s options will be discussed in depth, with examples.

Batch Files

To make Memoryze easier to use, each execution script has been wrapped by a corresponding batch file. All the parameters in the XML execution script can be modified from the command line using arguments to the batch file. The batch files include:
MemoryDD.bat to acquire an image of physical memory.
ProcessDD.bat to acquire an image of the process’ address space.
DriverDD.bat to acquire an image of a driver.
Process.bat to enumerate everything about a process including handles, virtual memory, network ports, and strings.
HookDetection.bat to look for hooks within the operating system.
DriverSearch.bat to find drivers.
DriverWalkList.bat to enumerate all modules and drivers in a linked list.

Viewing the Results

Memoryze creates XML documents containing the analysis results. Currently, MANDIANT does not provide a stand-alone external viewer for Memoryze’s results. However, result files can be displayed in any XML viewer – such as Windows Internet Explorer, Mozilla Firefox, or even Microsoft Excel 2007. Be careful! Some XML viewers can be sluggish when loading large XML documents.

Executing Memoryze

There are two ways to use Memoryze.
One way is to use the XML command files native to Memoryze.exe. This requires editing the *.Batch.xml files to configure Memoryze to perform the desired tasks.
The other option is to use the command-line batch scripts provided. These batch scripts generate the XML command files for the desired audit using the options specified on the batch file command line.
Using the batch scripts eliminates the need to edit an XML file. These batch scripts are convenient for interactive use.

Using Memoryze with the XML Execution Scripts

Memoryze.exe is the executable that takes the command line parameters and executes the XML audit or script. Memoryze command line parameters are as follows:
‐o [directory]
The optional directory argument specifies the location to store the results. If this location is not specified, the results are stored by default in /Audits//. is the name of the system on which Memoryze is executing, and is a date/time stamp in the format of YYYYMMDDHHMMSS.
‐script
Executes the specified audit (*.Batch.xml)
‐encoding [none|aff|gzip]
none – no encoding of the output
aff – compresses the output in an AFF evidence container
gzip – compresses the output in GZIP