Four years ago, at the DFRWS 2005, the first tools to analyze Windows memory images were presented in public. These ideas and methods now gradually make it into commercial off-the-shelf forensic products. The latest tool that provides Windows memory analysis capabilities is AccessData's Forensic Toolkit 3.
If you've worked with FTK 2.x before, you'll immediately notice the new "Volatile" tab on FTK's main screen:
FTK3 displays information about processes, network sockets, loaded dynamic link libraries (DLL) and handles. The latter will point an investigator to opened files as well as to active threads.
In order to get a first impression I let FTK3 analyze a memory dump that contains a Netcat listener that was hidden by the well-known FUto rootkit. FTK3 instantly shows the listener and its socket. However, I miss a note regarding the manipulated data structures.
FTK3 still stays far behind of latest research. Manipulation of registry hives in memory, loaded kernel modules and other kinds of malicious activity remain undetected for the most part.
What looks highly interesting and innovative, is a function to compare two memory images. Further tests will show how this function can detect in-memory manipulations of the kernel or changes to the system configuration.
I welcome AccessData's decision to incorporate memory analysis functionality into their Forensic Toolkit. Having these new functions right at your fingertips in a familiar environment, instead of providing them by a separate tool, hopefully will lower the barrier for investigators to explore the power of memory analysis.
