Memory analysis :: Volatility

digital forensics

Memory acquisition:
Dump memory using FTK Imager or similar software.

Volatility
Processes:
> volatility pslist -f memory.img

Services:
> volatility svcscan -f memory.img –profile=Win7SP0x64

Hidden/terminated processes:
> volatility psscan -f memory.img

Yara scan:
> volatility yarascan –yara-file=/path/to/rules.yar -f memory.img