ManTech Memory DD captures a record of physical, or random access memory which is lost when the computer is shutdown. Released at no charge under the GPL license for government and private use, ManTech's Memory DD (MDD) is capable of acquiring memory images from the following Microsoft® products: Windows® 2000, Windows Server 2003, Windows XP®, Windows Vista®, and Windows Server 2008.
ManTech's Memory DD 1.0 acquires a forensic image of physical memory and stores it as a raw binary file. To help verify data integrity and aid in the preservation of the evidence, the information captured by ManTech Memory DD is checked by the Message-Digest algorithm 5 (MD5), the common Internet standard used in security applications. The binary file can then be analyzed using external tools to identify items of interest to the examiner.
There have been numerous, well-documented computer exploits that never leave evidence on the computers persistent storage devices, such as hard drives. These exploits reside solely in the physical memory of the machine. When the machine is powered off, the evidence of the exploit quickly vanishes. In some cases, evidence of online communication (such as chat sessions) resides in memory even after the communication has terminated. Encryption keys for disk encryption utilities can often be recovered from physical memory as well. The ability to image physical memory allows the forensic examiner to recover valuable information that would otherwise be lost forever. With ManTech Memory DD, it is now easy for Department of Defense, Intelligence Community, law enforcement, and commercial organizations to acquire and preserve physical memory images.
MDD was designed specifically to harvest a physical memory image from a running system. The software can copy up to 4 GB of memory to a file for later analysis. In this regard, MDD was built to harvest data that could be analyzed by another tool or software program to identify root kits and other malicious code residing undetectable on a system.
A root kit is a set of tools that work through subversion and/or aversion of typical operating system security controls to allow a non-administrator to gain administrator privileges over the system. As such, all data that is stored or accessible by the compromised system is available to the root kit. However, a root kit must load itself into memory to run. That is why MDD is so powerful. MDD can capture the root kit executable which can then be analyzed by other tools to identify that the system is compromised.
MDD is useful because it provides a binary file that can be coupled with other tools from ManTech International Corporation or other industry leaders to provide a comprehensive snapshot of physical memory.
As a free and open tool, MDD is managed via sourceforge.net.
| Project Home Page | Download MDD | Documentation |