When you investigate a compromised computer, don't just pull the power plug! Pulling the plug destroys the RAM. You must capture a "Memory Dump" first using tools like `DumpIt`.
What can you find?
- Passwords: Often stored in plain text by browsers or password managers before encryption.
- Encryption Keys: BitLocker keys are in RAM.
- Network Connections: See active connections that closed seconds ago.
- Hidden Processes: Rootkits can hide from Task Manager, but they can't hide from RAM.
1. The Volatility Framework
The standard tool for analyzing memory dumps.
python vol.py -f dump.mem windows.pslist
This command lists all processes, even hidden ones (using Direct Kernel Object Manipulation detection).
2. Malfind
A specific Volatility plugin that looks for injected code.
It finds memory pages that are executable (RWX) but don't belong to any DLL. This is a tell-tale sign of malware.