The following tools can be used to conduct memory analysis.
Memory Analysis Frameworks
- Volatility Framework - A complete framework for analyzing Windows, Linux and Mac OSX memory images.
- WindowsSCOPE Pro, Ultimate - Comprehensive toolkit for the capture and analysis of Windows physical and virtual memory targeting cyber analysis, forensics/incident response, and education. Software and hardware based acquisition with CaptureGUARD PCIe and ExpressCard.
- WindowsSCOPE Live live fetch and analysis of Windows computers on a network from Android smartphones and tablets.
- Second Look from Raytheon Pikewerks Corporation - provides Linux memory forensics, including acquisition and analysis.
Browser Email Memory Tool
- pdgmail is a python script to extract gmail artifacts from memory images. Made for images extracted with pdd, but works with any memory image.
Instant Messenger Memory Tool
- Belkasoft Evidence Center is a tool by Belkasoft which allows for retrieving various Instant Messenger artifacts from an attached memory image.
Platform Independent Tools
A list of tools which should work regardless of future incremental OS / hardware updates.
- inVtero.net Open Source Hypervisor/Process/Kernel detection for Windows, FreeBSD, OpenBSD and NetBSD. inVtero.net is based on interpreting low-level hardware defined constructs which change little over time. See github for details.
- Forensics MemDump Extractor, is a tool by Gem George which can extract any kind of files residing in memory dump based on file signature. For example, if we put signature of a JPG file, it will extract all JPGs residing in memory dump.