The following is a list of 8 of the best memory analysis tools on the market today.
If you have a favorite memory analysis tool that is not on this lists, please let me know in the comments section and I will add it to the list.
Evolve is a web interface for the Volatility Memory Forensics Framework and works with any Volatility module that provides a SQLite render method.
- Automatically detects plugins – If volatility sees the plugin, so will eVOLve
- All results stored in a single SQLite db stored beside the RAM dump
- Web interface is fully AJAX using jQuery & JSON to pass requests and responses
- Uses Bottle module in Python to provide a standalone web server
- Option to edit SQL query to provide enhanced data views with data from multiple tables
- Run plugins and view data from any browser – even a tablet!
- Allow multiple people to review results of single RAM dump
- Multiprocessing for full CPU usage
- Pre-Scan runs a list of plugins at the start
KnTList is a command line tool for the analysis and extraction of evidence from physical memory that was acquired from select Microsoft Windows operating systems using the KnTTools. KnTList analyzes main computer memory by reconstructing the principle operating system-defined metadata elements that structure the memory, including the virtual address space of the system and other processes. KnTList output is produced in both text and XML format.
However, KnTList is currently available to the military, civilian law enforcement and other civilian governmental agencies, and higher educational institutions as well as available on a case-by-case basis to private security professionals and corporations.
LiME is a Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android. This makes LiME unique as it is the first tool that allows for full memory captures on Android devices. It also minimizes its interaction between user and kernel space processes during acquisition, which allows it to produce memory captures that are more forensically sound than those of other tools designed for Linux memory acquisition.
Mandiant’s Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis.
- Image the full range of system memory (no reliance on API calls).
- Image a process’ entire address space to disk, including a process’ loaded DLLs, EXEs, heaps and stacks.
- Image a specified driver or all drivers loaded in memory to disk.
- Enumerate all running processes (including those hidden by rootkits), including:
- Report all open handles in a process (including all files, registry keys, etc.)
- List the virtual address space of a given process including all loaded DLLs and all allocated portions of the heap and stack.
- List all network sockets that the process has open, including any hidden by rootkits.
- Specify the functions imported and exported by the EXE and DLLs.
- Hash the EXE and DLLs in the process address space (MD5, SHA1, SHA256. This is disk based).
- Verify the digital signatures of the EXEs and DLLs (disk-based).
- Output all strings in memory on a per-process basis.
- Identify all drivers loaded in memory, including those hidden by rootkits. For each driver, Memoryze can:
- Specify the functions the driver imports and exports.
- Hash the driver (MD5, SHA1, and SHA256. disk-based).
- Verify the digital signature of the driver (disk-based).
- Output all strings in memory on a per driver basis.
- Report device and driver layering, which can be used to intercept network packets, keystrokes and file activity.
- Identify all loaded kernel modules by walking a linked list. Identify hooks (often used by rootkits) in system call table, the interrupt descriptor tables (IDTs) and driver function tables.
Memoryze for the Mac can:
- Image the full range of system memory
- Acquire individual process memory regions
- Enumerate all running processes (including those hidden by rootkits).
- For each process Memoryze for the Mac can:
- Report all open file handles in a process (including all files, sockets, pipes, etc)
- List the virtual address space of a process including:
- loaded libraries
- allocated portions of heap and execution stack
- network connections
- all loaded kernel extensions, including those hidden by rootkits
- system call table and mach trap table
- all running mach tasks
- ASLR support
The Rekall Framework is an open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
Responder PRO is the industry standard physical memory and automated malware analysis solution. It is the most advanced tool available for reverse engineering available today. In 2015 a Linux version of Responder PRO was released. It enables Cyber Security Analysts to pull in and analyze Linux memory images and to perform memory forensics on endpoints. The new Responder PRO covers the two most popular versions of Linux available today, Red Hat Enterprise Linux (RHEL) and CentOS.
With its powerful memory forensics and malware identification capabilities, Responder PRO allows incident response professionals to collect and analyze critical threat intelligence that can only be found in physical memory such as chat sessions, registry keys, encryption keys, and socket information. With this information, incident responders can effectively validate and respond to a security incident.
The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer visibilty into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
A GUI-based memory forensic capture and analysis toolkit. Allows for the import of standard WinDD memory dumps which are then automatically reverse engineered and presented in an easy-to-view format for forensic analysis in a central location. It includes advanced search capabilities to find visited URLs, credit cards, logins, names, etc. and provides the most sophisticated memory forensics analysis for security breaches. Applications include digital forensics, crime investigation, cyber defense & attack detection, and other reverse engineering activities.