MemGator is a memory file analysis tool that automates the extraction of data from a memory file and compiles a report for the investigator. MemGator brings together a number of tools such as the Volatility Framework, Scalpel File Carver and AESKeyFinder into the one program.
MemGator automates the running of nearly all the commands from Volatility Framework 2.3.1 For certain Volatility commands the user now has the option to add additional command line parameters. The program will automatically select the correct OS profile to use for all of the Volatility commands.
The user has the option to override the program and input manually an OS profile if required. In addition MemGator will automate the running of Scalpel while still allowing the user to add search strings of their choice. Scalpel will automatically carve for usernames and passwords for Gmail, Hotmail, Yahoo, Facebook, Livedrive and autofill form entries for the Chrome web browser. The program can also extract TrueCrypt encryption keys from the memory file.
SUPPORTED OPERATING SYSTEMS
Microsoft Windows:
32-bit Windows XP Service Pack 2 and 3
32-bit Windows 2003 Server Service Pack 0, 1, 2
32-bit Windows Vista Service Pack 0, 1, 2
32-bit Windows 2008 Server Service Pack 1, 2 (there is no SP0)
32-bit Windows 7 Service Pack 0, 1
64-bit Windows XP Service Pack 1 and 2 (there is no SP0)
64-bit Windows 2003 Server Service Pack 1 and 2 (there is no SP0)
64-bit Windows Vista Service Pack 0, 1, 2
64-bit Windows 2008 Server Service Pack 1 and 2 (there is no SP0)
64-bit Windows 2008 R2 Server Service Pack 0 and 1
64-bit Windows 7 Service Pack 0 and 1
Below is the list of tools/commands that are included.
IMAGE IDENTIFICATION
Volatility (imageinfo command) – Extracts details of the OS from memory file.
volatility (kdbgscan command) – Search for and dump potential KDBG values.
volatility (kpcrscan command) – Search for and dump potential _KPCR values.
PROCESSES and DLLS
Volatility (pslist command) – Print list of running processes.
Volatility (pstree command) – Print process list as a tree.
Volatility (psscan command) – Scan for EPROCESS objects file.
Volatility (dlllist command) – Print list of loaded DLLs for each process.
Volatility (dlldump command) – Print list of loaded DLLs for each process.
Volatility (handles command) – Print list of open handles for each process.
Volatility (getsids command) – Print list of SIDs (Security Identifiers) associated with a process.
Volatility (envars command) – Display process environment variables.
Volatility (cmdscan command) – Extract command history by scanning for _COMMAND_HISTORY
Volatility (consoles command) – Extract command history by scanning for _CONSOLE_INFORMATION
Volatility (privs command) – Identify the present and/or enabled windows privileges for each process
Process Memory
Volatility (memmap command) – Print the memory map.
Volatility (memdump command) – Dump the addressable memory for a process.
Volatility (procmemdump command) – Dump a process to an executable memory sample.
Volatility (procexedump command) – Dump a process to an executable file.
Volatility (evtlogs command) – Parse XP and 2003 event logs from memory.
Volatility (vadwalk command) – Walk the VAD tree.
Volatility (vadtree command) – Walk the VAD tree and display in tree format.
Volatility (vadinfo command) – Dump the VAD info.
Volatility (vaddump command) – Dumps out the vad sections to a file.
Volatility (iehistory command) – Extract and parse Internet Explorer history and URL cache
NETWORK CONNECTIONS
Volatility (connections command) – Print list of open connections.
Volatility (connscan command) – Scan for connection structures -Windows XP & Windows Server 2003 only.
Volatility (sockets command) – Print open sockets -Windows XP & Windows Server 2003 only.
Volatility (socketscan command) – Scan Physical memory for _ADDRESS_OBJECT – Windows XP & Windows Server 2003 only.
Volatility (netscan command) – Scan for network artifacts in Windows\nVista, 2008 Server and Windows 7
MALWARE DETECTION
Volatility (malfind command) – Detect hidden and injected code.
Volatility (svcscan command) – Scan for Window Services.
Volatility ( ldrmodules command) – For each memory mapped PE file, the ldrmodules command prints a 0 or a 1 if the PE exists in the PEB lists.
Volatility (apihooks command) – find API hooks in user mode or kernel mode
Volatility (idt command) – Dumps the Interrupt Descriptor Table (x86 only)
Volatility (gdt command) – Dumps the Global Descriptor Table (x86 only)
Volatility (threads command) – Investigate _ETHREAD and _KTHREADs. Volatility (callbacks command) – Print system-wide notification routines (x86 only)
Volatility (devicetree command) – Show device tree
Volatility (psxview command) – detect hidden processes by comparing what PsActiveProcessHead contains with what is reported by various other sources of process listings
Volatility (timers command) – Print kernel timers and associated module DPCs (x86 only)
Volatility (impscan command) – Scan for calls to imported functions
Volatility (driverirp command) – Scan for Driver IRP hook detection
PASSWORDS AND ENCRYPTION KEYS
Volatility ( bioskbd command) – read keystrokes from the BIOS area of memory (if present).
AESKeyFinder – Extracts Truecrypt AES encryption keys from memory file.
Scalpel ( Logons)- Searches for usernames and passswords for Gmail, Hotmail, Yahoo, Facebook and Livedrive.
REGISTRY
Volatility ( userassist command) – Extracts the UserAssist keys from the memory file.
Volatility ( shimcache command) – Parses the Application Compatibility Shim Cache registry key.
Volatility ( getservicesids command) – Calculate SIDs for Windows services in the registry.
Volatility (hivedump command) – Recursively prints all keys and timestamps in a given hive.
Volatility (printkey command) – Recursively prints all keys and timestamps in a given hive.
Volatility (hivelist command) – takes a physical address of one CMHIVE, returns the virtual address of all hives, and their names.
Volatility (hashdump command) – dump the LanMan and NT hashes from the registry (deobfuscated).
Volatility (lsadump command) – Dump (decrypted) LSA secrets from the registry (XP and 2003 x86 only).
Volatility (shellbags command) – This plugin parses and prints Shellbag information obtained from the registry
KERNEL MEMORY and OBJECTS
Volatility (modules command) – Print list of loaded modules.
Volatility (modscan command) – Extract a kernel driver to disk.
Volatility (moddump command) – Scan Physical memory for _LDR_DATA_TABLE_ENTRY objects.
Volatility (ssdt command) – Print the Native and GDI System Service Descriptor Tables.
Volatility (driverscan command) – Scan physical memory for _DRIVER_OBJECT objects.
Volatility (filescan command) – Scan physical memory for _DRIVER_OBJECT objects.
Volatility (mutantscan command) – Scan physical memory for _KMUTANT objects
Volatility (symlinkscan command) – Scans for symbolic link objects
Volatility (thrdscan command) – Scan physical memory for _ETHREAD objects
Volatility (dumpfiles command) – Reconstruct files from the windows cache manager and shared section objects.
Volatility (unloadedmodules command) – Show recently unloaded kernel modules (which indirectly tells you which ones recently loaded)
Win32k / GUI Memory
Volatility (sessions command) – List details on _MM_SESSION_SPACE (user logon sessions)
Volatility (wndscan command) – Pool scanner for tagWINDOWSTATION (window stations)
Volatility (deskscan command) – Poolscaner for tagDESKTOP (desktops)
Volatility (atomcan command) – Pool scanner for _RTL_ATOM_TABLE
Volatility (clipboard command) – Extract the contents of the windows clipboard
Volatility (clipboard command) – Extract the contents of the windows clipboard
Volatility (eventhooks command) – Print details on windows event hooks
Volatility (gahti command) – Dump the USER handle type information
Volatility (screenshot command) – Save a pseudo-screenshot based on GDI windows
Volatility (userhandles command) – Dump the USER handle tables
Volatility (windows command) – Print Desktop Windows (verbose details)
Volatility (wintree command) – Print Z-Order Desktop Windows Tree
Volatility (gditimers command) – Analyze GDI timer objects and their callbacks
FILE FORMATS
Volatility (crashinfo command) – Dump crash-dump information
Volatility (hibinfo command) – Dump hibernation file information
Volatility (imagecopy command) – Copies a physical address space out as a raw DD image
Volatility (raw2dmp command) – Converts a physical memory sample to a windbg crash dump
Volatility (vboxinfo command) – Display header and memory runs information from VirtualBox core dumps
Volatility (vmwareinfo command) – Display header and memory runs information from VMware vmss or vmsn files
Volatility (hpakinfo command) – Display header and memory runs information from .hpak files
FILE SYSTEM
Volatility (mbrparser command) – Scans for and parses potential Master Boot Records (MBRs)
Volatility (mftparser command) – Scans for and parses potential MFT entries
DATA CARVING
Scalpel – Will carve for files and search strings as configured by the user
Scalpel ( Autofill)- Will carve for Chrome web browser autofill form entries