SiQuest’s Memory Imager (SMI) is volatile memory capture utility for Windows that offers more convenient and specialized functionality over other “ram dumping” tools. SMI offers two versions: a Command Line interface, and a Windows graphical user interface.
Here are the main highlights of Memory Imager:
- Capture all “physical” memory (RAM) into one or more contiguous Raw (DD) image file format.
- Capture allocated memory for any number of individual “processes” running on a Windows system. This one feature alone sets Memory Imager apart from other tools. It makes it possible to collect very specific data about a running process without having to acquire all available memory.
- Logging is enabled for both types of capture.
- It is possible to specify “chunk sizes” for the image files created during capture. The default is 2GB.
- Unlike most capture tools that create a single binary (.bin) output file, Memory Imager offers the option to prepend a 512 Master Boot Record (MBR) partition to the output. This makes it possible for the imaged memory to be mounted as a physical disk using any variety of disk mounting tools. Since Memory Imager is an Internet Examiner Toolkit Family Product, memory capture files can be mounted natively within IXTK.
“Process” Memory Capture
For existing license holders of SiQuest’s Internet Examiner® Toolkit with a USB security key (dongle), it is possible to capture individual processes. This unique feature allows investigators to dramatically reduce the amount of data that has to be captured and later examined. One particularly good use for process capturing is workplace computer acceptable use compliance audits. Another use would be for conducting application behavioral research in the field of information security and memory based artifacts.
FOR EXAMPLE, would you rather image 16GB to 32GB of RAM, or just 50MB for a single application like Skype or Google Talk?
Command Line Features
- The Command Line version of Memory Imager (memimgr.exe) is more than just an ALL RAM dumping tool. A series of unique command line switches provides powerful flexibility in capturing live “processes”. With Memory Imager (Command Line), you can capture individual processes based on common system metadata (column names). These include Process Id, Process Name, Company Name, and Description.
- For instance, you might be called into a corporate office where many computers are running and your job is to collect memory relating to specific programs that might be expected to be running. For example, the company might permit employees to use Google Talk for instant messaging and access Facebook during breaks using the default Internet Explorer browser.
- Now, most other tools would force you to capture ALL RAM and this has some inherent problems, starting with the fact that some systems might have huge amounts of RAM (e.g., 12GB, 16GB, 32GB, 64GB). To have to collect ALL that memory for one system, in itself, is resource intensive since the collection process is often done using a USB memory device. Not to mention, it would take a lot of time thereafter to examine the contents of the capture memory binary files.
- Wouldn’t it be much nicer and faster to capture ONLY the memory allocated to the two programs in question? Wouldn’t it be more efficient to capture, as an example, 50MB worth of data instead of 32GB?? Well, with Memory Imager it is certainly possible. You can create .BATCH files and stored local keyword list files that can be called by Memory Imager dynamically. In the case of GTalk and IE processes, the following comman line could be used alone or in a .batch file:
memimgr.exe -desc @mykeywords.txt
- The Windows version of Memory Imager is a simpler approach to capturing physical and process memory. The one good difference is the ability to view processes in a columnar list format with options to filter by column name and check mark (select) individual items.
Are you interested in this product?
or Please contact CDFS for more information
1300 55 33 24 | E-mail: firstname.lastname@example.org