Memory Forensic Tools Stack

What is a Memory Forensic Tools Stack?

Each memory forensic analyst prefers to use some tools that would help them doing their activities – for sure, they should have the core knowledge of what a certain tool does and how it is doing its work.

So, I would define the memory forensic tools stack as the preferred memory forensic tools that an analyst has been using over the years and helped him successfully investigate, save time, and answer cases’ related questions based on his needs with no to minimal obvious errors (tools are not perfect and they do have/give errors, such as parsing errors among many).

I Do no Use All of Them

The tools that I am about to mention are the most well-known tools in the memory forensic domain. A lot of people do use them, but it is not necessary to use them all, as it comes to a personal preference and they are many!

Tools Stack

You may find each tool provides some features that push you to use that tool just for a particular feature, and that what we are talking about. As each tool may have something unique and gives you a better functionality or easier in dealing with it compared to others in certain scenarios.

Please take into consideration, that this blog will get regularly updated as new tools and techniques arise.

Well, in this blog, I will not talk in detail about the used criteria for each tool, as this will be discussed in separate blog for each tool. However, generally speaking, the used criteria I used to classify them are: forensically soundness, accuracy in results, usability, free and availability, speed, small footprints & mode (mostly for memory acquisition tools), portability (no installations required on the host) and most importantly DOES the job

Memory Acquisition Tools:

• Windows:
  • Magnet Dumpit for Windows
  • Belkasoft Live RAM Capturer
  • FTK Imager
  • Varc (Volatile Artifact Collector) – a powerful cross-platform tool as it is also applicable for Linux & Mac
• Linux:
  • AVML
  • LiME
  • Magnet Dumpit for Linux

Memory Static Analysis Tools (Tools for Mainly Searching and Filtering Strings in the Memory Dump):

• Bulk_Extractor
• Strings
• Grep

Memory Analysis Tools:

• Volatility 2, Volatility 3
  • Volatility Workbench (GUI version of Volatility) 2, 3
• MemProcFS
  • MemProcFS-Analyzer (GUI version of MemProcFS)

I will regularly update the tools, so check this blog often ^^

Memory Acquisition Tools’ Comparison

As there are many acquisition tools, a comparison among them is made to decide which is better. I will post my comparison review in another blog, but this blog, posted in December 2020, is very detailed and gives valuable information.

In that blog, different memory acquisition tools for Windows were evaluated based on:

• User interface and customizability

• Acquisition time

• Occupied memory according to Task Manager

• Loaded DLLs

• Registry changes and invoked files

• Portable software

Conclusion

In today’s blog, we shared some useful tools that will help start your memory forensic investigation journey.

~ Cya till the next one 🙂