Mem Marshal

ATC-NY proposes to continue their development of Mem Marshal, a memory forensics software toolkit that assists investigators by automating memory analysis capabilities. The Mem Marshal toolkit uses the capabilities of existing memory-analysis tools to create a user-friendly, automated memory analysis system that can be used by law enforcement forensic investigators to examine and visualize data in captured memory and extract case-relevant information.

ca/ncf

ATC-NY proposes two enhancements to the current Mem Marshal: (1) Desktop Recovery would enable investigators to see and operate a subject's desktop at the time his machine was imaged. Investigators could click on each window, resize, move it, and even use its scrollbars The recent computer activities of a subject would be immediately apparent to an investigator. (2) In-Memory Disk Cache Forensics will allow investigators to quickly see which files were recently read or modified, and extract their contents, even for files written to drives that were not recovered. Together, these enhancements significantly increase the efficiency of investigators by increasing Mem Marshal's automated evidence gathering capabilities.

ca/ncf