ATC-NY Announces New Computer Forensics Tool – Mem Marshal

ATC-NY’s new forensics tool – Mem Marshal™ 1.0 – is a user-friendly, automated memory analysis system that assists and automates computer forensic investigations of volatile memory (RAM) images. Mem Marshal enables computer forensic investigators to analyze and effectively make use of information contained in volatile memory. Memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, and active network connections…Mem Marshal enables investigators to focus and enhance time-consuming disk analysis. It reduces investigation time by using information acquired from memory images, which can be searched and analyzed quickly.

Mem Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats. Mem Marshal is currently available at no cost to U.S. Law Enforcement. For more information on how to obtain a free copy visit their website at: http://www.memmarshal.com.

Or for the latest news, follow Mem Marshal on Twitter for the most up-to-date information about product updates and scheduled training sessions!

ATC-NY's Growing Family of Forensics Tools

Get The Latest DFIR News!

Top DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Mem Marshal is part of ATC-NY’s Cyber Marshal forensics products, including P2P Marshal, Live Marshal, Mac Marshal and Router Marshal, that are currently in use by U.S. law enforcement in all 50 states to investigate cyber crimes. Without automated tools, a forensic investigator’s job to find evidence of illegal distribution of contraband and other crimes is manually intensive and time-consuming. These forensic tools greatly help investigators reduce the time required for the analysis process. These tools are also useful to private corporations for compliance checking. For example, a company that prohibits peer-to-peer software on its corporate systems could use P2P Marshal to confirm such compliance.

To read more about these forensics tools, visit the Cyber Marshal site at http://www.cybermarshal.com.

ABOUT ATC-NY. Located in Ithaca, NY, ATC-NY conducts advanced research and development in computer security and information assurance. ATC-NY is a subsidiary of Architecture Technology Corporation (ATC), headquartered in Eden Prairie, MN. Founded in 1981, ATC specializes in software-intensive solutions for complex problems in information security, cyber security, enterprise-scale network computing architectures, and network management. ATC’s customers include firms in the private sector and government agencies such as the U.S. Departments of Defense, Homeland Security and Transportation.

Leave a Comment

Latest Videos

Quantifying Data Volatility for IoT Forensics With Examples From Contiki OS

Forensic Focus 22nd June 2022 5:00 am

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run. 

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems. 

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

File timestamps are used by forensics practitioners as a fundamental artifact. For example, the creation of user files can show traces of user activity, while system files, like configuration and log files, typically reveal when a program was run.

Despite timestamps being ubiquitous, the understanding of their exact meaning is mostly overlooked in favor of fully-automated, correlation-based approaches. Existing work for practitioners aims at understanding Windows and is not directly applicable to Unix-like systems.

In this paper, we review how each layer of the software stack (kernel, file system, libraries, application) influences MACB timestamps on Unix systems such as Linux, OpenBSD, FreeBSD and macOS.

We examine how POSIX specifies the timestamp behavior and propose a framework for automatically profiling OS kernels, user mode libraries and applications, including compliance checks against POSIX.

Our implementation covers four different operating systems, the GIO and Qt library, as well as several user mode applications and is released as open-source.

Based on 187 compliance tests and automated profiling covering common file operations, we found multiple unexpected and non-compliant behaviors, both on common operations and in edge cases.

Furthermore, we provide tables summarizing timestamp behavior aimed to be used by practitioners as a quick-reference.

Learn more: https://dfrws.org/presentation/a-systematic-approach-to-understanding-macb-timestamps-on-unixlike-systems/

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_i0zd7HtluzY

A Systematic Approach to Understanding MACB Timestamps on Unixlike Systems

Forensic Focus 21st June 2022 5:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...