volatility – An advanced memory forensics framework. plugins: – findevilproc (label possible new candidates)

EVTXtract recovery – EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.

helix3 (extract memory from Windows and sent it via netcat to linux = nc -l -vvv -p 8888 > memory.dd)

FTK Imager – The FTK Imager tool is capable of both acquiring and analyzing computer forensic evidence.

AccessData FTK Imager – Mount disks.

Autopsy – Autopsy is a digital forensics platform and graphical interface to The Sleuth Kit® and other digital forensics tools. It is used by law enforcement, military, and corporate examiners to investigate what happened on a computer. You can even use it to recover photos from your camera’s memory card.

dumpit – Windows live acquisition memory (a standalone app).

Processdump – Process Dump is a Windows reverse-engineering command-line tool to dump malware memory components back to disk for analysis.

CheatEngine – Cheat Engine, commonly abbreviated as CE, is an open-source memory scanner/hex editor/debugger created by Eric Heijnen (“Dark Byte”) for the Windows operating system.

PE-Sieve – Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Process Dump: Windows tool for dumping malware PE files from memory back to disk for analysis.

Last updated