M-unition -

New Audit Viewer for Memoryze

By on November 25, 2008


If you are tired of trying to load Memoryze’s results into Internet Explorer
or into an Excel spreadsheet, check out the new viewer from Peter
Silberman. The Audit Viewer is written in Python and comes with
the BSD license because you know best how you want to view your data.

Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.

Check out these features:

  • Process data can be viewed on a per process basis or in its entirety by double clicking the root node, “Processes”. For example, when you double click on “Processes” and then click on the Files tab, all the file handles open on the host are displayed from least frequently to most frequently occurring.
  • Ability to search Files, Processes, Mutants, Events, Registry Keys, and Strings using plain text or regex.
  • Ability to load multiple Memoryze result sets contained in the same directory.
  • Handle types are separated out into more abstract types representing the logical type of the handle such as Files, Directories (part of the Object Manager’s namespace), Processes, Keys, Mutants, and Events.
  • Memory sections with names are displayed under the DLLs tab.
  • Layered drivers are displayed in a tree view. This is useful for finding certain types of keyboard sniffers, network sniffers, and file filtering drivers.
  • Integrated with Memoryze to seamlessly acquire drivers and processes from live memory and images.
  • Ability to scan all processes for “questionable” executable sections. These sections have the EXECUTE_READWRITE flag but no name.

Get the goods, Audit Viewer 1.0.0.7!  Want to learn how to harness this power? Check out Audit Viewer PDF.

Special thanks to Peter for spending his nights and weekends to make this available.

Category: The Lab

Comments

Get M-Unition in Your Inbox:

Follow @mandiant

Follow @mandiant on twitter.

Career Opps @ Mandiant

We’re growing fast, but we’re as demanding as ever. Our clients come to us in their hours of need, so we need the best. That means more than just the right education and the right experience in information security.

As Mandiant continues to grow, we are able to offer certain positions in multiple locations. For details on the location(s) of each opening, please refer to the position descriptions.

Click here to view available positions.