Monthly Archives: November 2008

New Audit Viewer for Memoryze

If you are tired of trying to load Memoryze's results into Internet Explorer

or into an Excel spreadsheet, check out the new viewer from Peter

Silberman. The Audit Viewer is written in Python and comes with

the BSD license because you know best how you want to view your data.

Audit Viewer allows the incident responder or forensic analyst to quickly view complex XML output in an easily readable format. Using familiar grouping of data and search capabilities, Audit Viewer makes memory analysis quicker and more intuitive.

Check out these features:

  • Process data can be viewed on a per process basis or in its entirety by double clicking the root node, "Processes". For example, when you double click on "Processes" and then click on the Files tab, all the file handles open on the host are displayed from least frequently to most frequently occurring.
  • Ability to search Files, Processes, Mutants, Events, Registry Keys, and Strings using plain text or regex.
  • Ability to load multiple Memoryze result sets contained in the same directory.
  • Handle types are separated out into more abstract types representing the logical type of the handle such as Files, Directories (part of the Object Manager's namespace), Processes, Keys, Mutants, and Events.
  • Memory sections with names are displayed under the DLLs tab.
  • Layered drivers are displayed in a tree view. This is useful for finding certain types of keyboard sniffers, network sniffers, and file filtering drivers.
  • Integrated with Memoryze to seamlessly acquire drivers and processes from live memory and images.
  • Ability to scan all processes for "questionable" executable sections. These sections have the EXECUTE_READWRITE flag but no name.

Special thanks to Peter for spending his nights and weekends to make this available.