https://www.mandiant.com/resources/download/memoryze
Click the "Download Memoryze" link, as shown below. Verify the hash using HashCalc or a similar tool.
Right-click the Memoryze.zip file and click "Extract All...".
In the "Extract Compressed (Zipped) Folders" box, click Extract.
A "Memoryze" window opens. Double-click the "Memoryze" folder.
Double-click the MemoryzeSetup2.0.msi file.
Install the software with the default options.
Go to http://wikipedia.org and click English.
On the upper right, click "log in".
Enter your own name for the user name, enter the password SWORDFISH123, as shown below.
Click the "Log In" button.
You see a "Login error" message. That doesn't matter--we just want to place that password into RAM.
Leave Internet Explorer open.
In a real investigation, however, you would normally capture RAM and analyze it later.
In the "User Account Control" box, click Yes.
In the Administrator Command Prompt window, execute these commands, pressing Enter after each one:
cd \Program Files
cd MANDIANT\Memoryze
DIR
You should see several available
programs, including MemoryDD.bat,
as shown below:
In the Administrator Command Prompt window, execute these commands, pressing Enter after each one.
Replace "YOUR-NAME" with your own name, written without any embedded spaces.
mkdir YOUR-NAME
Process.bat -output YOUR-NAME
A second command prompt window
pops up, showing the progress of
the analysis, as shown below.
Wait for the box to close.
To see the results, click Start, Computer.
Navigate to C:\Program Files\MANDIANT\Memoryze\YOUR-NAME\Audits
Open the folder inside the Audits folder, with your computer's name on it.
Open the folder with a long numerial name starting with the current year.
You see several XML files, as shown below:
Double-click the file with the long name starting with mir.
A list of processes opens in Internet Explorer, as shown below:
Find a process with a name of iexplore.exe and highlight that line, as shown above.
Replace "YOUR-NAME" with your own name, written without any embedded spaces.
Process.bat -output YOUR-NAME -process iexplore.exe -strings true
A second command prompt window
pops up, showing the progress of
the analysis.
Wait for the box to close. To see the results, click Start, Computer.
Navigate to C:\Program Files\MANDIANT\Memoryze\YOUR-NAME\Audits
Open the folder inside the Audits folder, with your computer's name on it.
Open the folder with a long numerial name starting with the current year. If there are more than one such folder, open the bottom one.
You see several XML files, as shown below.
Find the large file (mine was 30 MB) with the long name starting with mir.
DON'T DOUBLE-CLICK IT! I tried that and it freezes Internet Explorer.
Instead, right-click it and open it with Wordpad.
Click in the Wordpad window, and press Ctrl+F.
Search for the string SWORDFISH
You should find it, as shown below.