Memory Imaging and Analysis Tools

Table of Contents

Memory Analysis

  • AVML - A portable volatile memory acquisition tool for Linux.
  • Evolve - Web interface for the Volatility Memory Forensics Framework.
  • inVtero.net - Advanced memory analysis for Windows x64 with nested hypervisor support.
  • LiME - Loadable Kernel Module (LKM), which allows the acquisition of volatile memory from Linux and Linux-based devices, formerly called DMD.
  • MalConfScan - MalConfScan is a Volatility plugin extracts configuration data of known malware. Volatility is an open-source memory forensics framework for incident response and malware analysis. This tool searches for malware in memory images and dumps configuration data. In addition, this tool has a function to list strings to which malicious code refers.
  • Memoryze - Free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images, and on live systems, can include the paging file in its analysis.
  • Memoryze for Mac - Memoryze for Mac is Memoryze but then for Macs. A lower number of features, however.
  • [MemProcFS] (https://github.com/ufrisk/MemProcFS) - MemProcFS is an easy and convenient way of viewing physical memory as files in a virtual file system.
  • Orochi - Orochi is an open source framework for collaborative forensic memory dump analysis.
  • Rekall - Open source tool (and library) for the extraction of digital artifacts from volatile memory (RAM) samples.
  • Responder PRO - Responder PRO is the industry standard physical memory and automated malware analysis solution.
  • Volatility - Advanced memory forensics framework.
  • Volatility 3 - The volatile memory extraction framework (successor of Volatility)
  • VolatilityBot - Automation tool for researchers cuts all the guesswork and manual tasks out of the binary extraction phase, or to help the investigator in the first steps of performing a memory analysis investigation.
  • VolDiff - Malware Memory Footprint Analysis based on Volatility.
  • WindowsSCOPE - Memory forensics and reverse engineering tool used for analyzing volatile memory offering the capability of analyzing the Windows kernel, drivers, DLLs, and virtual and physical memory.

Memory Imaging

  • Belkasoft Live RAM Capturer - Tiny free forensic tool to reliably extract the entire content of the computer’s volatile memory – even if protected by an active anti-debugging or anti-dumping system.
  • Linux Memory Grabber - Script for dumping Linux memory and creating Volatility profiles.
  • MAGNET DumpIt - Fast memory acquisition tool for Windows (x86, x64, ARM64). Generate full memory crash dumps of Windows machines.
  • Magnet RAM Capture - Free imaging tool designed to capture the physical memory of a suspect’s computer. Supports recent versions of Windows.
  • OSForensics - Tool to acquire live memory on 32-bit and 64-bit systems. A dump of an individual process’s memory space or physical memory dump can be done.