Home Contact

M-unition

The Ammunition You Need to Find Evil and Solve Crime

About Us

Welcome to M-unition, the MANDIANT blog. Here we share our insights about the tools we create and use to find evil and solve crime.

Memoryze is the 2008 Toolsmith Tool Of the Year

Written by Michael J. Graven

Russ McRee recently wrote that Memoryze is the 2008 Toolsmith Tool of the Year, and how it helped him find the full name of a malware author. He also wrote up a great description of using Memoryze to chase down a password stealing trojan in the February 2009 issue of the ISSA Journal.

 

One of the interesting things about Russ’s approach in both cases is his use of the strings option. It turned up some great investigative information. However, strings generates a lot of data, and in a large environment that could be a bit of a challenge (imagine running Memoryze on, say, 20,000 systems.) But on the third hand, what if one of those strings in memory is truly your best indicator of compromise?

 

The key to solving that problem – large-scale searching for very specific information – is prefiltering the results (and indexing them). Using an XPath expression to match only your desired indicator-of-evil lets the investigator focus on just the relevant data. It also lets you scale up the search to very large numbers of systems.

 

We’ve built our Intelligent Response product for exactly that need, including features from Memoryze as well as other IR tools. If you’d like to hear more about it, or see a demo, drop me a line.

Tags: , , , , ,

. 05 Feb 09 | Products
«
»


Reader's Comments

  1. Jamie Butler | February 10th, 2009 at 10:57 pm

    Thanks also to Rick Wanner of SANS Internet Storm Center Diary. Between Mr. Wanner and Mr. McRee, our Web servers got a work out.



Leave a Reply

You must be logged in to post a comment.