Now that you've collected volatile data from a system, the question becomes “How do I ‘hear’ what it has to say?” or “How do I figure out what the data is telling me?” Once you've collected a process listing, how do you determine which process, if any, is malware? How do you tell whether someone has compromised the system and is currently accessing it? Finally, how can you use the volatile data you've collected to build a better picture of activity on the system, particularly as you acquire an image and perform postmortem analysis?

The purpose of this chapter is to address these sorts of questions. What ...