I just started using Memoryze and Audit Viewer and am pretty much blown away. I have used FTK and Volatility, and strings+grep in the past, but lately have been playing around in Memoryze and find I highly prefer it. The layout, registry enumeration, MRI features and Snort signatures are absolutely amazing. That being said, I have a few questions for any of you more skilled with it
* Is there any way to verify an executable was launched from a user on a specific domain?
* On this note, is there a way to determine whether an executable was launched by the default account on various machines without writing a script to replace the values each time (ie to detect a hacked service account launching apps with higher privileges than the current user)?
* Is there a way to exclude a specific processes' strings from search (in particular, so I don't search for known baddies and pull up strings from the AV sigs)?
* Is it a good idea to set the paths of every exe in the win/sys32 dirs (I work with a mix of windows OS's, and see no difference in paths between XP and 7)?
* Any way to completely ignore known good processes like the 'difference' tab in FTK's volatile analysis?
* How do I get a server using PAE to work with it? I tried and got zero output… The dump is good because I can analyze it in FTK.
That being said, I would love to hear any tips, best practices/methodologies, or good tutorials people have found. XML files, converted SNORT signatures, and the like would also be very appreciated.
* Is there any way to verify an executable was launched from a user on a specific domain?
In Audit Viewer on the left side where the processes are listed, you can double click a particular process or Expand them all to reveal the SID of the owner. If Memoryze is being ran against a live host, we will include the user name.
* On this note, is there a way to determine whether an executable was launched by the default account on various machines without writing a script to replace the values each time (ie to detect a hacked service account launching apps with higher privileges than the current user)?
You can create a Malware Rating Index (MRI) rule to identify processes launched by nonstandard users. This is very useful when looking at services or svchost.exe.
* Is there a way to exclude a specific processes' strings from search (in particular, so I don't search for known baddies and pull up strings from the AV sigs)?
We do not recommend turning on strings on all processes because of the amount of data it can produce. When you add the data expansion of XML documents, the output can become very large. We are working on ways to fix this especially if you know several strings you are searching for.
In the meantime, I believe Audit Viewer (the newest) will allow you to limit your string search (post processing the output) to a single process.
Typically, we recommend enumerating all processes without strings. As you narrow your list of suspicious processes, you can specify an individual PID to enumerate with strings.
* Is it a good idea to set the paths of every exe in the win/sys32 dirs (I work with a mix of windows OS's, and see no difference in paths between XP and 7)?
I am not sure exactly what you are asking here. There are differences in paths between XP and Windows 7.
* Any way to completely ignore known good processes like the 'difference' tab in FTK's volatile analysis?
Audit Viewer with MRI ranks the processes. You could choose to ignore those with a score of 100. All the tabs in Audit Viewer can toggle between all processes (double click Processes) and a single process (double click the individual process). As I mentioned, I believe the searches can also be scoped to an individual process.
* How do I get a server using PAE to work with it? I tried and got zero output… The dump is good because I can analyze it in FTK.
We have supported PAE since we released Memoryze. If you can share the image, I would be happy to debug this. Or if you send me the issues files, I will get a better idea of what is happening.
Thanks for using Memoryze and Audit Viewer. I hope these tools continue to meet your needs as we add features.
Jamie Butler
http//forums.mandiant.com