There are several tools available to analysts for the review of memory images. For the purposes of this chapter, three tools will be examined. The first of these, MandiantRedline, is a GUI-based memory analysis tool that examines memory images for signs of rogue processes and scores them based upon several factors. The remaining tools, Volatility and Rekall, are command-line tools that allow analysts to drill into the details of the memory image and identify potential malicious code.

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.