MEMORY MOTHER-F*CKING ANALYSIS!
Volatility is the major player in this space. We can use Volatility to anal memory dumps but why? What can we get from memory that we wont be able to get off the disk?
Rootkits, fileless malware, iocs that disappeared on reboot. These are the kind of things you find in memory. So how do we do this?
Dump Memory
First take your memory dump using a tool like winpmem
Set Volatility Target Profile
Next we need to determine the right profile to use with volatility. The profile tells volatlity where in the memory to look. Profiles differ depending on the target systems OS build.
Analyse the Dump using a Volatilty Plugin
Now that we have the correct profile volitility can search the memory dump for artifacts. Use plugins to detect specific artifacts.