This is in addition to the platforms Memoryze already supported:

 
Attacks Against Memory Forensic Tools
Brendan Dolan-Gavitt et. al. published a great article in the Proceedings of the ACM Conference on Computer and Communications Security (CCS) [1]. In it, they discuss an attack against memory forensic tools that would cause the tools to be blind to the existence of specially modified processes. As Brendan states in his blog, this attack has been known about for some time and requires a rootkit on the part of the intruder in order to modify the desired process(es). Memoryze has expanded upon their research by modifying the detection algorithm slightly and adding support for all the operating systems Memoryze supports. This work by Dolan-Gavitt, Srivastava, Traynor, and Griffin is sure to motivate change. If you would like to test your existing tools or validate that Memoryze is now resilient, Brendan has made a memory image available for download from his blog.
 

 
Speed Improvements
In addition to platform support and resilience to recent DKOM attacks, Memoryze is now as much as 40% faster depending on memory size and configuration parameters. This and some of the other improvements made should make string enumeration a lot better.
 
Portable Installation
Peter Villadsen fixed a bug in the way Memoryze used to install that required the user to use “-portable” at the command line when running Memoryze. Obviously, this broke Audit Viewer because of the way it invokes Memoryze. Now that has been fixed. When you are installing Memoryze to be used portably, you must use special options to msiexec.

msiexec /a MemoryzeSetup.msi /qb TARGETDIR=portable_drive_and_folder

The portable_drive_and_folder should be the drive letter of the USB key and the folder you want to install Memoryze into such as H:\Memoryze

Now, the first time you run portable Memoryze it will create several files; therefore, you cannot make the media read-only yet. After that, you should be set to run Memoryze off a USB key or CD-Rom. You can have Audit Viewer invoke Memoryze or use the *.bat files that are included.
 
It has been fun over the past two years working with our user base and our consultants as they have ran this code over literally hundreds of thousands of hosts. I am looking forward to what the next two years bring. Please keep us informed of bugs or of any feature requests on the forums.
 
Download Memoryze NOW
 
[1] Dolan-Gavitt, B., Srivastava, A., Traynor, P., and Giffin, J., “Robust signatures for kernel data structures,” in Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2009.
 
The “*” means that complete regression testing on those platforms has not been completed, but we felt the feature was important enough to users to get the feature out as soon as it was available.

So what is included in Memoryze and Audit Viewer 1.4? Well, here is the short of it.
 

Memoryze:

• Support for Windows 2003 x64 SP2
• Improved support of Vista SP1 and SP2 including port enumeration and a better installer
• Enumeration of digital signatures for all loaded modules in a processes’ address space, hooked and hooking drivers, and all drivers found by driver signature scans
• Enumeration of MD5/SHA1/SHA256 hash on disk for all loaded modules in a process’ address space and all drivers found by driver signature scans
• Updated documentation
• Single installer for 64-bit and 32-bit versions

 
Audit Viewer:

• Improvements to the Malware Rating Index (MRI)
•      Report visualization of MRI results
•      MRI rule editors that will allow users to graphically edit the MRI rule file
•      Handle Trust view to help identify suspicious handles
• Ability to search results within a specific process
• Multi-select with copy
• Multi-select and export to a CSV file

 
Those who attended the CanSecWest Training in March have already been enjoying many of these features in beta form for months, and we are committed to ensuring that those who attend the Advanced Memory Forensics in Incident Response class at Black Hat will get early access to the next version of Memorzye, which will support Windows 7 64-bit.
 
As for the Black Hat training, there is a lot of new and updated content for 2010.

• Coverage of 64-bit operating systems
• New section on malware covering different malware techniques and how they stand out in memory
• Four new case studies ranging from real Advanced Persistent Threat (APT) incidents, to spear phishing attacks, and everything in between
• Student receive early access Memoryze and Audit Viewer for Windows 7 64-bit
• Students receive the only free tool to analyze Windows Vista
• Students receive the only free tool to analyze Windows 2003 64-bit
• Better data collection to help identify processes and drivers as malicious or not
• Added the Malware Rating Index (MRI), which helps automatically identify many malware behaviors discussed in the class. Through a simple user interface, students learn how to write rules to identify malware in their own work environments. MRI then uses those rules to score processes as suspicious or not.

 
I would like to thank James Long who pointed out an issue with the batch scripts* and Peter Villadsen who worked so hard to improve the build process and installation for Memoryze. Peter and I would also like to thank all our loyal users. We appreciate all your feedback, and we hope to see you in Las Vegas.

 
* When specifying an output directory from the command line with the batch scripts in Memoryze, the directory must already exist.

Peter and I have been busy planning for CanSecWest in a week. The course, Advanced Memory Forensics in Incident Response, is constantly evolving. It has been about a year and a half since Memoryze was released, and just over a year for Audit Viewer. Honestly, it seems a lot longer, but that is not a bad thing. This week my team will be handing over to QA Windows 2003 64-bit support. While that is in testing, Peter will be making improvements to Audit Viewer that you the user have recommended, and he will be verifying everything works correctly with the 64-bit output. The Malware Rating Index (MRI), which is in Audit Viewer, really changes the case studies in the training. For some exercises, we have to turn MRI off because the malware becomes obvious if you know how to use the tool. I expect MRI will evolve a lot over the next six months as we think of news ways to visualize, sort, and search the data as well as identify new pieces of data to collect. If you are curious how visualization and sorting can help, check out how Harlan Carvey and Chris Pogue use it.

We have gotten a lot of great feedback from the user community, but what Windows operating system support or feature would you like see next? Yes, MANDIANT Intelligent Response has a roadmap, but Memoryze allows us to play a little bit. It is really a labor of love. So let us know what you think. You can reach us at peter.silberman or james.butler plus company name.com. We currently support:

- Windows 2000 SP4
- Windows XP SP2 and SP3
- Windows Vista SP1 and SP2 (better installer coming in next release)
- Windows 2003 SP1 and SP2
- Windows 2003 SP2 64-bit (** next release **)

So if you cannot make the training at CanSecWest in a week, Black Hat USA has just opened their training schedule, and we will be there for the weekend and weekday offerings of Advanced Memory Forensics in Incident Response. I hope to see you soon. Keep your eyes open for official update releases of Memoryze/Audit Viewer and Webinars/presentations.

Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.

Check out these features:

• Process data can be viewed on a per process basis or in its entirety by double clicking the root node, “Processes”. For example, when you double click on “Processes” and then click on the Files tab, all the file handles open on the host are displayed from least frequently to most frequently occurring.
  
• Ability to search Files, Processes, Mutants, Events, Registry Keys, and Strings using plain text or regex.
  
• Ability to load multiple Memoryze result sets contained in the same directory.
  
• Handle types are separated out into more abstract types representing the logical type of the handle such as Files, Directories (part of the Object Manager’s namespace), Processes, Keys, Mutants, and Events.
  
• Memory sections with names are displayed under the DLLs tab.
  
• Layered drivers are displayed in a tree view. This is useful for finding certain types of keyboard sniffers, network sniffers, and file filtering drivers.
  
• Integrated with Memoryze to seamlessly acquire drivers and processes from live memory and images.
  
• Ability to scan all processes for “questionable” executable sections. These sections have the EXECUTE_READWRITE flag but no name.

Get the goods, Audit Viewer 1.0.0.7!  Want to learn how to harness this power? Check out Audit Viewer PDF.

Special thanks to Peter for spending his nights and weekends to make this available.