Mem Marshal™

Mem Marshal™ is a software tool that runs on a forensic investigator's workstation to analyze captured volatile memory (RAM) images.

Features

  • Analyzes RAM images from Windows XP (32-bit) operating systems
  • Displays running processes, open files, active network connections, open registry keys, process DLLs, and process SIDs
  • Finds and identifies hidden processes and network connections automatically
  • Displays and searches the Windows registry
  • Extracts Gmail and Yahoo Mail webmail data from Web browser memory
  • Performs string and regular expression searches
  • Carves images from memory
  • Supports raw, crash dump, and hibernation file formats
  • Output reports in PDF, RTF, or HTML

Requirements

  • Microsoft Windows XP or newer, 32- or 64-bit
  • 150 MB disk space free

Screenshots

Process List

Process list

Network Connections

Network Connections

Carved Images

Carved Images

Windows Registry

Windows Registry