SANS six-part methodology

The SANS institution makes use of a six-part methodology for the analysis of memory images. This process is designed to start from an overall view of what is running to identifying and accessing the malicious software. The SANS methodology follows the following steps:

  1. Identify rogue processes: Malware often hides its behavior behind processes that on the surface may seem legitimate. Uncovering these involves identifying what processes are running, the location in the operating system they are running from, and verifying that only legitimate processes are in use. Sometimes processes are hidden in plain sight where adversaries change a single letter in a process name. Other times, they will attempt to execute a process ...

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.