This chapter discussed two major topic areas of memory analysis. First is the data points available and the methodology that can be followed. In addition, several tools, such as Redline, Volatility, and Strings have been explored. In addition to an overview of these tools, several of their features have been explored. This only scratches the surface of the number of features each of these tools has to offer the incident response analyst. These tools, taken in conjunction with a methodology for analyzing system RAM, can give the analyst a powerful tool for determining if a system has been compromised. With malware becoming more advanced, including malware that executes entirely in RAM, it is critical that analysts incorporate memory analysis into their capability. Marrying these techniques with network evidence collection can provide analysts and their organizations with a powerful tool to identify and remediate an incident.

In the next chapter, the analysis will move from the volatile evidence captured to examining the system's hard drive. Here, an analyst can gain more insight into the events surrounding an incident.