Summary
In this chapter, we provided an overview of memory forensics using the Volatility framework. In the examples, we demonstrated memory acquisition techniques for Android and Linux systems and saw how to use LiME on both systems. We used Volatility to get information about running processes, loaded modules, possibly malicious activity, and recent network activity. The latter is useful to trace the activities of an attacker through the network.
In the last example in this chapter, we demonstrated how to search for a given malware signature or other highly flexible pattern-based rules in such a memory dump. These YARA signatures or rules help in identifying suspicious activities or files really fast.
Furthermore, we demonstrated how to get the keyboard cache as well as call history from an Android device.