Summary
The art of process memory forensics is a very specific aspect of forensic work. It obviously focuses primarily on memory pertaining to a process image, which is quite complicated even on its own, as it requires intricate knowledge about CPU registers, the stack, dynamic linking, and ELF as a whole.
Therefore, being proficient in inspecting a process for anomalies is truly an art and a skill that builds on itself through experience. This chapter served as a primer for the subject so that the beginner can get some insights into how they should get started. In the next chapter, we will be discussing process forensics, and you will learn how the ECFS technology can make it much easier.
After you have completed this chapter and the next, I recommend that you use some of the tools cited in this chapter to infect some processes on your system and experiment with the ways of detecting them.