Digital Evidence Investigative Tools: Analyzing Live Memory
Live memory analysis can produce important, case-relevant data for investigators that cannot be obtained from disk analysis. This information
includes running applications, open files, Web browser usage, recently used passwords and stored encryption keys.
Mem Marshal, an NIJ-supported tool currently in development, seeks to make live memory analysis forensic capabilities available
to law enforcement. This portable memory forensics software toolkit automates the recovery of information that exists while
live in memory, visualizes this information graphically and provides the investigator with reporting features at the crime
The tool is expected to extend existing forensic techniques to volatile (live) memory, provide context for string-search results
and enable in-memory file carving.
Memory analysis is of particular interest in malware (malicious software used to infiltrate a system) analysis and incident
response, because it is capable of analyzing machines in which the operating system has been subverted.
Mem Marshal will be distributed for free to state and local law enforcement. Anticipated launch date is early 2011.
Date Created: November 5, 2010