Memory

• Additional information about execution etc.
• Can catch malware that only runs in memory

• Integrity

• Kernel Level Application
  • e.g. LiME (Linux Memory Extractor) as Kernel Module
• Hardware bus based / dma
• Cold boot
  • Theoretical method to use remanence
• Hibernation files
• Virtualization

https://forensics.wiki/windows_memory_analysis/

• FTK Imager
• WindowsPmem Win
• LiME

• Volatility 3 — active, Python3-based memory analysis framework.
• Redline (FireEye) — free analyzer + triage with GUI, timeline and IOC features.
• MemProcFS — mounts a physical memory image as a virtual read-only filesystem.