Memory analysis continues to be an increasingly important part of the incident response process. As adversaries continue obfuscating or encrypting their code stored on disk, or avoid writing malicious code to disk at all, RAM is a common battleground for the cat‐and‐mouse game between attackers and defenders. Different tools are available to analyze system memory, including many commercial endpoint detection and response (EDR) suites.

The Volatility Foundation maintains an open‐source initiative that largely blazed the trail for effective memory analysis for incident response purposes, and it continues to be a valuable tool today. A fork of that project, known as Rekall, introduced some changes and additional features to Volatility. Regardless of whether you examine memory with one of these open‐source tools or with an EDR tool, this chapter will provide you with the skills needed to identify evil lurking within RAM.

Regardless of the tool used, effective memory analysis requires the ability to detect anomalies. As with other types of analysis, understanding what processes, network connections, and other artifacts should be present on a system is an important part of identifying abnormalities that may be caused by malicious activity. In this chapter, we will look at ways to conduct memory forensics by analyzing artifacts captured in a memory dump or running in a live system's memory, and comparing them to what we would expect to find on a system that ...