Introduction This post solves the mystery of Donny's System and outlines how to utilize memory forensics methodology to uncover artifacts from memory dumps Tools: Volatility, Yara & Windows Powershell Analysis Six-step investigative methodology by SANS Identify rogue processes Analyze process DLLs and handles Review network artifacts Look for evidence of code injection Check for signs of rootkit Dump suspicious processes and drivers Run volatility imageinfo plugin to identify profile PS C:\volatility> .\vol.exe -f .\unknown.vmem imageinfo Run Volatility pslist plugin to see active running processes PS C:\volatility> .\vol.exe -f .\unknown.vmem --profile=WinXPSP3x86 pslist Just to remind that all process creation and termination timings are specified in UTC. Ensure to change them to system timezone while correlating the events with other sources of evidence ...