Memory Forensics

Another issue for any computer, but especially a Windows system, is memory forensics. The ability to capture the memory and then analyze it has important ramifications for forensic exams. Often sophisticated malware is best detected by examining memory for specific traces of that malware.

The first step is to capture the memory from a live machine. This can be done with several different tools, many of which are free. One common free tool is the command-line tool Dump-it, which is shown in FIGURE 8-11. Dump-it will dump out the current memory in a file ending in the .raw extension. Note that this can take a few minutes. The Dump-it tool is popular, but can sometimes be hard to find on the Internet.

Another popular memory capture ...

Get System Forensics, Investigation, and Response, 3rd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.