Mem Marshal™ 1.0.0

Mem Marshal™ is a software tool that runs on a forensic investigator's workstation to analyze captured volatile memory (RAM) images.

Features

• Analyzes RAM images from Windows XP (32-bit) operating systems
• Displays running processes, open files, active network connections, open registry keys, process DLLs, and process SIDs
• Finds and identifies hidden processes and network connections automatically
• Displays and searches the Windows registry
• Extracts Gmail and Yahoo Mail webmail data from Web browser memory
• Performs string and regular expression searches
• Carves images from memory
• Supports raw, crash dump, and hibernation file formats
• Output reports in PDF, RTF, or HTML

Requirements

• Microsoft Windows XP or newer, 32- or 64-bit
• 150 MB disk space free

Screenshots

Process List

Network Connections

Carved Images

Windows Registry