FireEye Incident Response using - MemoryDD.bat

Memoryze MemoryDD.bat is a tool inside FireEye’s famous Memoryze. What it does is executes AcquireMemory.Batch.xml to create and dump a memory image of a system.

MemoryDD.bat has its set of paramaters:

      • –offset – offset into physical memory. Omit the –offset option to acquire all memory.
      • –size – size of physical memory to acquire. Omit the –size option to acquire all memory.
      • –output – directory in which to write results. Defaults to ./Audits

From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.