Chapter 3. Windows Memory Analysis

Solutions in this chapter:

▪ Collecting Process Memory
▪ Dumping Physical Memory
▪ Analyzing a Physical Memory Dump
Summary
Solutions Fast Track
Frequently Asked Questions

Introduction

In Chapter 1, we discussed collecting volatile data from a live, running Windows system. From the order of volatility listed in RFC 3227, we saw that one of the first items of volatile data that should be collected during live-response activities is the contents of physical memory, commonly referred to as RAM. Although the specifics of collecting particular parts of volatile memory, such as network connections or running processes, have been known for some time and discussed pretty extensively, the issue of collecting, parsing, and ...

Get Windows Forensic Analysis DVD Toolkit, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.