Attackers and defenders are in a constant cat‐and‐mouse game, with defenders coming up with new ways to detect attacks and attackers evolving new methods to evade that detection. One of the current battlegrounds for this game is volatile system memory. As antivirus and other endpoint defenses improved their ability to detect threats on disk, attackers simply moved to so‐called fileless malware, performing malicious acts using existing system binaries or injecting malicious code directly into the memory of existing processes. Although many techniques are used to obfuscate malicious code in transit and at rest on nonvolatile storage (such as system disks), code that executes must be fed in a non‐obfuscated way into the processor. Since the processor uses memory as its storage space, analysis of random access memory (RAM) is a critical component in the incident response process. In this chapter, we'll look at ways to access and capture system memory from both local and remote systems. We'll delve more deeply into the analysis of memory in Chapter 9, “Memory Analysis.”

Order of Volatility

One of the core tenets of digital forensics is that, to the greatest extent possible, you should preserve the digital evidence in an unaltered state. We want all interaction with systems involved in investigations to be methodically performed to minimize any changes that we cause to the system and the data it contains. Digital storage can be categorized as either volatile ...