CrowdStrike released SuperMem, a great tool for automated Windows memory analysis.



SuperMem allows analysts to perform quick triage with Volatility 3, but also a full triage with Volatility 2, 3/EVTXtract/memdumping and other resource gathering tools, or a comprehensive triage with all of the above + dumping all loaded DLLs, processes and drivers and check them with Yara, all from a simple Python script.

The tool has been developed by James Lovato, principal consultant ad CrowdStrike [1]:

Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps investigators consistently and quickly process memory samples in their investigations.

The tool is a Python script that will parse Windows memory samples in a consistent, quick and selective way.
The triage-type methodology consists of three types, Quick, Full and Comprehensive

Quick: Very limited processing

  • Volatility 3
  • Strings
  • Bulk Extractor

Full: More in-depth processing

  • Quick Triage
  • Volatility 3 +
  • Volatility 2
  • EVTXtract
  • Dump Files (only specified files and paths)
  • Dump Registry Hives
  • Plaso
  • Gather Network IOCs

Comprehensive: “Everything but the kitchen sink” processing

  • Full Triage
  • Dump Loaded DLLs, Processes and Drivers
  • Yara

For more details and installation instructions, please refer to official GitHub repository: https://github.com/CrowdStrike/SuperMem


References

  1. SuperMem: A Free CrowdStrike Incident Response Tool for Automating Memory Image Processing
  2. https://github.com/CrowdStrike/SuperMem