FireEye Incident Response using - Memoryze
Memoryze is a free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and, on a live system, can include the paging file in its analysis. It can perform all these functions on live system memory or memory image files, whether they were acquired by Memoryze or other memory acquisition tools.
Memoryze.exe is the executable that takes the command line parameters and executes the XML audit or script.
Memoryze command line parameters are as follows:
- -o [directory] The optional directory argument specifies the location to store the results. If this location is not specified, the results are stored by default in /Audits//. is the name of the system on which Memoryze is executing, and is a date/time stamp in the format of YYYYMMDDHHMMSS
- -Script executes the specific audit (*.Batch.xml)
- -encoding [none,aff,gzip]
- none – no encoding of the output
- aff – compresses the output in an AFF evidence container
- gzip – compresses the output in GZIP
From an incident response perspective, identifying the patient zero during the incident or an infection is just the tip of the iceberg. A responder must gather evidence, artifacts, and data about the compromised systems and having the right tool to execute these actions is a must. Not only does it automate everything, but it also helps the responder to reduce the time to solve the issue.