The SANS institution makes use of a six-part methodology for the analysis of memory images. This process is designed to start from an overall view of what is running to identifying and accessing the malicious software. The SANS methodology follows the following steps:

1. Identify rogue processes: Malware often hides its behavior behind processes that on the surface may seem legitimate. Uncovering these involves identifying what processes are running, the location in the operating system they are running from, and verifying that only legitimate processes are in use. Sometimes processes are hidden in plain sight where adversaries change a single letter in a process name. Other times, they will attempt to execute a process from an illegitimate source.
2. Analyze process DLLs and handles: Once a process or multiple processes have been identified as rogue, the next step is to examine the DLL files associated with the process as well as other factors such as account information.
3. Review network artifacts: Malware, especially multi-stage malware, requires connection to the internet. Even systems that are fully compromised often beacon out to C2 servers. Active and listening network connections are contained within the memory of these systems. Identifying external host IP addresses may give some insight into what type of compromise has taken place.
4. Look for evidence of code injection: Techniques such as process hollowing and unmapped sections of the memory are often used by advanced malware coders. Memory analysis tools assist analysts with finding the evidence of these techniques.
5. Check for signs of a rootkit: Achieving persistence is a goal with many external threat actors. If they are able to achieve the initial compromise of the system, it is critical that they maintain that.
6. Dump suspicious process and drivers: After locating any suspicious processes or executables, analysts need to be able to acquire them for later analysis with additional tools.