Memory Editor/Analysis
The Memory Editor is part of the Tools menu. It allows to examine the physical RAM/main memory and the logical memory of a process (i.e. a program that is being executed) in a live system. All memory pages committed by a process are presented in a continuous block. Unused (free or reserved) pages are ignored by default, but optionally included and displayed with "?" characters. With no such gaps, you may compare memory dumps to files exactly with one another (absolute and virtual addresses are identical), e.g. to examine stack and heap states or observe virusses.
If you expand one of the listed processes in the list, you may open either the so-called primary memory or the entire memory of this process or one of the loaded modules (DLLs). The primary memory is the lower part of the address range, below the area where system DLLs are loaded. Usually it also contains the main module of a process (the EXE file), the stack, and the heap. The "entire memory" contains all the allocated pages in the entire logical memory address space of a process.
With the 64-bit edition of WinHex/X-Ways Forensics you can get loaded modules above the 4 GB barrier in 64-bit processes listed, and read and edit memory in such address ranges. Unicode is supported for process and module names and paths in the memory editor. Page boundaries are represented by horizontal lines. Boundaries that represent gaps between contiguous allocated regions are represented by darker horizontal lines. The Info Pane shows information such as the maximum address represented and the number of allocation gaps (=number of contiguous allocated page ranges -1) as well as protection status and type of the currently displayed page.
Please note the following limitations:
Access to physical RAM under Windows XP (32-bit) only, no more than 4 GB, and with administrator rights only
Caution: Only keyboard input can be undone!
Editing is possible in in-place mode only.
The evaluation version only supports view mode.
The options relevant for the memory editor are "Check for virtual memory alteration" (security options) and "Virtual addresses" (general options).
Main memory analysis
Requires a forensic license. When you open the local physical RAM (via Tools | Open RAM, only under Windows XP) or a main memory dump as a file (and interpret that file exactly like you would a disk image) or add a memory dump to a case, processes will be listed in the directory browser, even hidden processes, with their timestamps and process IDs, and their own respective memory address spaces can be individually viewed in "Process" mode, with pages concatenated in correct logical order as seen by each process. The "particularly thorough data structure search" is signature-based, will take a little longer than taking a standard volume snapshot, and may turn up traces of additional processes. Memory can be acquired remotely with the help of F-Response (Tools | Open Disk). The analysis is supported for most (but not all) variants (service packs) of Windows 2000, Windows XP, Windows 2003 Server, Windows Vista, Windows 2008 Server, and Windows 7, 32 bit and (less complete) 64 bit. Only complete memory dumps are supported, those which include regions in RAM that are utilized by the BIOS and by PCI devices.
Windows kernel data structures and named objects are conveniently listed in a tree in the volume snapshot under "Objects". Loaded modules are listed under "Modules". That enables X-Ways Forensics to allocate the memory pages in RAM mode that they occupy to them, and to compute hashes for them so that they can be identified via special hash sets. For hashing purposes it is recommended to list the invariant headers of loaded modules only (see Volume Snapshot Options).
The technical details report informs you of important system-wide parameters as well as of the current addresses of important kernel data structures and of loaded kernel modules. In Details mode you can find the addresses of process-related data structures for each process and the ID of its parent process. In RAM mode, the Info Pane shows for each memory page a process to which it is allocated (if any) and its memory management status.
With the appropriate background knowledge, this functionality can be used learn more about the current state of the machine and its processes, sockets, open files, loaded drivers, and attached media, to identify malware, to find the decrypted version of encrypted data, to analyze network traces in incident response, and to do further research in the field of memory forensics.