If you're a fan of Volatility, you'll love CrowdStrike’s SuperMem
CrowdStrike released SuperMem, a great tool for automated Windows memory analysis.
SuperMem allows analysts to perform quick triage with Volatility 3, but also a full triage with Volatility 2, 3/EVTXtract/memdumping and other resource gathering tools, or a comprehensive triage with all of the above + dumping all loaded DLLs, processes and drivers and check them with Yara, all from a simple Python script.
The tool has been developed by James Lovato, principal consultant ad CrowdStrike [1]:
Performing memory analysis in incident response investigations can be tedious and challenging because of the lack of commercial options for processing memory samples, no all-in-one open-source tools to process samples, and a shortage of the knowledge and skill to do so. Recognizing this, CrowdStrike Services created SuperMem, an open-source Windows memory processing script that helps investigators consistently and quickly process memory samples in their investigations.
The tool is a Python script that will parse Windows memory samples in a consistent, quick and selective way.
The triage-type methodology consists of three types, Quick, Full and Comprehensive:
Quick: Very limited processing
- Volatility 3
- Strings
- Bulk Extractor
Full: More in-depth processing
- Quick Triage
- Volatility 3 +
- Volatility 2
- EVTXtract
- Dump Files (only specified files and paths)
- Dump Registry Hives
- Plaso
- Gather Network IOCs
Comprehensive: “Everything but the kitchen sink” processing
- Full Triage
- Dump Loaded DLLs, Processes and Drivers
- Yara
For more details and installation instructions, please refer to official GitHub repository: https://github.com/CrowdStrike/SuperMem