Product Features

Comae memory analysis in Magnet Axiom and Axiom Cyber

In cybersecurity cases like incident response, memory analysis can often be the key to uncovering what took place on a device-especially when an attack didn’t leave an easily detectable evidence trail, like advanced persistent threats (APTs) that leverage fileless techniques.

To enhance your ability to conduct memory analysis, we have integrated Comae memory analysis technology into Axiom and Axiom Cyber, providing a great option for analyzing Microsoft crash dumps. Comae memory analysis provides support for current Windows 11 operating systems, new insights into threats, as well as greatly improving the speed of memory processing by natively supporting Microsoft crash dumps.

Using Comae memory analysis in Axiom and Axiom Cyber

To analyze a memory dump with Comae in Axiom or Axiom Cyber, you first need to grab the latest version of our free tools Magnet DumpIt—a fast memory acquisition tool for Windows (x86, x64, ARM64) or Magnet Response a comprehensive evidence collection and preservation tool for IR cases. The DMP output from these free tools can be ingested by Axiom and Axiom Cyber for analysis with no need to select a memory profile for the data.

Axiom and Axiom Cyber can also ingest .raw format memory dumps without having to convert into a .dmp format. This provides examiners with great flexibility, allowing a wider range of sources without the need for conversion. This capability streamlines investigations by supporting multiple industry-standard formats, reducing the time and potential errors involved in handling different file types. 

The importance of memory analysis

Modern malware is extremely stealthy, often executing only in memory to elude many traditional endpoint protection solutions. It was recently reported that 77% of successful ransomware attacks are from fileless techniques that completely bypassed a victim antivirus.

But as the saying goes ‘malware can hide, but it must run’. Memory analysis enables examiners to uncover processes and identify unauthorized or malicious activity on an endpoint.

“Memory data is such a crucial component of IR investigations especially with modern exploits, without it, bad actors go undetected and have the time to spread through a network, gaining access to more data,” said Matt Suiche, Comae Founder and Magnet Forensics Director of Memory, IR & R&D. “With this memory analysis enhancement in Axiom and Axiom Cyber we are equipping examiners with better tools to identify and address these serious threats.”

Broader support, new insights, and faster results

One of the big benefits of the Comae integration is the speed of processing. In our internal tests we saw improvements as high as 90%+ in the speed of processing data sets with Comae, helping to get you these critical insights even faster than before.

This technology upgrade for memory analysis also adds support for current Windows 11 operating systems and additional insights into potential cyberattacks with new artifacts:

  • Scheduled Tasks – Scheduled tasks can allow malicious code to be launched, downloaded, or perform tasks based on specific times or events, while remaining in memory, hiding the activities.
  • Callbacks – Instances of ransomware leveraging legitimate drivers to gain kernel access to a machine they often employ callbacks to nullify security software running on the system and hide their activity.
  • MFT (turned off by default) – The Master File Table (MFT) is a key component of Windows operating system, providing a record of the location of each file on a hard drive as well as metadata about the files including name, size, creation date, and access permissions.
  • YARA Rules Scanning – In Axiom Cyber, you can also use the integrated YARA rules which provide community-driven identification of the very latest malware and other indicators of compromise. To read more about the YARA rules in AXIOM Cyber check out this blog.

When a crash is a good thing…

Memory is typically captured in one of two ways: Crash (.DMP) or Raw (.RAW) dumps. The main difference between the two options is the inclusion of additional data such as headers and metadata in crash dumps. The Comae integration in Axiom and Axiom Cyber uses crash dump files because the added information available provides a more complete dataset with added context for incident response.

To learn more about the difference between these two methods of capturing memory, check out Matt Suiche’s blog post: Full Memory Crash Dumps vs. Raw Dumps: Which Is Best for Memory Analysis for Incident Response?

About Comae

Recognizing the importance of memory analysis, Magnet Forensics acquired Comae Technologies in May of 2022. Since that time, Matt Suiche has led our memory analysis, incident response team in the development of memory analysis capabilities.

Existing Volatility memory options in Axiom and Axiom Cyber will still be available, this update adds to the options for memory analysis and will be the platform that we continue to expand and develop as we further integrate Comae into Magnet Forensics.

Get Magnet Axiom or Axiom Cyber today!

To see the memory analysis capabilities of Comae in Axiom or Axiom Cyber for yourself, update to the latest version over at the Customer Portal or request a free trial today!

Subscribe today to hear directly from Magnet Forensics on the latest product updates, industry trends, and company news.

Start modernizing your digital investigations today.

Top