When examining system memory, it is advisable for analysts to follow a methodology. This ensures that all potential evidence is uncovered and can be utilized in an incident investigation. There are a variety of methodologies that can be leveraged. Which specific methodology is used can often be dependent on the type of incident. For example, a methodology that is geared towards identifying indicators of compromise around a malware infection may yield a great deal of information but may not be the best approach if the analyst has evidence from other network sources of a suspect IP address.
One of the chief aims of memory analysis is to identify potentially malicious processes or executables that can be extracted and examined. Much of the material that is present in this chapter will carry over into Chapter 12, Malware Analysis for Incident Response,...