Digital forensicsNew forensic tool automates RAM forensic investigations

Published 6 August 2012

New tool enables computer forensic investigators to analyze and make use of information contained in volatile memory; memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, and active network connections

ATC-NY has a new forensics tool, Mem Marshal 1.0, is a user-friendly, automated memory analysis system that assists and automates computer forensic investigations of volatile memory (RAM) images. Mem Marshal enables computer forensic investigators to analyze and make use of information contained in volatile memory. Memory analysis produces important, case-relevant data for investigators that cannot be obtained from disk analysis, such as running applications, open files, and active network connections.

The new tool joins other members of the company’s family of digital forensic tools.

The company says Mem Marshal enables investigators to focus and enhance time-consuming disk analysis. It reduces investigation time by using information acquired from memory images, which can be searched and analyzed quickly.

The company notes that Mem Marshal follows forensic best practices and maintains a detailed log file of all activities it performs. It produces reports in RTF, PDF, and HTML formats. Mem Marshal is currently available at no cost to U.S. law enforcement.

Mem Marshal is part of ATC-NY’s Cyber Marshal forensics products, including P2P Marshal, Live Marshal, Mac Marshal, and Router Marshal, which are currently in use by U.S. law enforcement to investigate cyber crimes. Without automated tools, a forensic investigator’s job to find evidence of illegal distribution of contraband and other crimes is manually intensive and time-consuming. These forensic tools help investigators reduce the time required for the analysis process. These tools are also useful to private corporations for compliance checking.