Chapter 3. Windows Memory Analysis
Solutions in this chapter:
▪ Collecting Process Memory
▪ Dumping Physical Memory
▪ Analyzing a Physical Memory Dump
Frequently Asked Questions
In Chapter 1
, we discussed collecting volatile data from a live, running Windows system. From the order of volatility listed in RFC 3227, we saw that one of the first items of volatile data that should be collected during live-response activities is the contents of physical memory, commonly referred to as RAM. Although the specifics of collecting particular parts of volatile memory, such as network connections or running processes, have been known for some time and discussed pretty extensively, the issue of collecting, parsing, and ...