Understanding Volatility basics
In general, memory forensics follow the same pattern as other forensic investigations:
Selecting the target of the investigation.
Acquiring forensic data.
Forensic analysis.
In the previous chapters, we already presented various technologies on how to select the target of an investigation, for example, starting from the system with unusual settings in the virtualization layer.
The acquisition of forensic data for memory analysis is highly dependent on the environment and we will discuss it in the Using Volatility on Linux and Using Volatility on Android sections of this chapter.
Tip
Always consider the virtualization layer as data source
Acquisition of memory from a running operating system always requires administrative access to this system and it is an intrusive process, that is, the process of data acquisition changes the memory data. Moreover, advanced malware is capable of manipulating the memory management of the operation system to prevent its acquisition...
