Digital Evidence Investigative Tools: Analyzing Live Memory

Live memory analysis can produce important, case-relevant data for investigators that cannot be obtained from disk analysis. This information includes running applications, open files, Web browser usage, recently used passwords and stored encryption keys.

Mem Marshal, an NIJ-supported tool currently in development, seeks to make live memory analysis forensic capabilities available to law enforcement. This portable memory forensics software toolkit automates the recovery of information that exists while live in memory, visualizes this information graphically and provides the investigator with reporting features at the crime scene.

The tool is expected to extend existing forensic techniques to volatile (live) memory, provide context for string-search results and enable in-memory file carving.

Memory analysis is of particular interest in malware (malicious software used to infiltrate a system) analysis and incident response, because it is capable of analyzing machines in which the operating system has been subverted.

Mem Marshal will be distributed for free to state and local law enforcement. Anticipated launch date is early 2011.

Date Created: November 5, 2010