Table of Contents

Principle
Challenges
Methods
Tools
- Creation
- Analysis

Memory

Principle

Additional information about execution etc.
Can catch malware that only runs in memory

Challenges

Integrity

Methods

Kernel Level Application
- e.g. LiME (Linux Memory Extractor) as Kernel Module
Hardware bus based / dma
Cold boot
- Theoretical method to use remanence
Hibernation files
Virtualization

Tools

https://forensics.wiki/windows_memory_analysis/

Creation

FTK Imager
WindowsPmem Win
LiME

Analysis

Volatility 3 — active, Python3-based memory analysis framework.
Redline (FireEye) — free analyzer + triage with GUI, timeline and IOC features.
MemProcFS — mounts a physical memory image as a virtual read-only filesystem.