Affiliate disclosure

Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ€” at no additional cost to you.

Chapter 22 โ€” Further Reading

Memory forensics has one canonical book, one canonical tool, and a deep bench of free, high-quality practice material. Start with the book to build the model, then live in the tool against real images โ€” this is a discipline you cannot learn by reading alone.

Foundations (๐Ÿ”ฌ deeper / structure-level)

  • "The Art of Memory Forensics" โ€” Ligh, Case, Levy & Walters (Wiley). The definitive text and the backbone of this chapter: Windows, Linux, and Mac internals, every Volatility plugin, and the structural reasoning (_EPROCESS, pool tags, the PEB lists) behind why the techniques work. If you own one DFIR book beyond the basics, own this.
  • The Volatility 3 documentation and source (volatilityfoundation.org, GitHub volatilityfoundation/volatility3). The authoritative plugin reference and the symbol-table (ISF) workflow. Read how Windows symbols are fetched automatically and how you build a Linux ISF with dwarf2json โ€” the difference decides whether an image is analyzable.
  • RFC 3227, "Guidelines for Evidence Collection and Archiving" (Brezinski & Killalea, IETF). Short and free; the citation for the order of volatility that makes "capture before power-off" a standard, not an opinion.

Approachable explanations (everyone)

  • 13Cubed (Richard Davis), YouTube โ€” the memory-forensics episodes. Free, rigorous, visual walk-throughs of acquisition and Volatility 3 on real images. The fastest way to see pslist/psscan/malfind/ldrmodules actually run.
  • "Investigating Windows Memory" / SANS FOR508 posters and blog. One-page maps of the plugin workflow and the injection signatures; tape one beside your keyboard.
  • The DFIR Report (thedfirreport.com). Detailed, free write-ups of real intrusions โ€” beaconing, fileless implants, process hollowing โ€” that show why command line, parentage, and live network state are the artifacts that matter.
  • ๐Ÿ›ก๏ธ๐Ÿ” Volatility, MemProcFS, and bulk_extractor (all free/open-source). Volatility for structured analysis; MemProcFS to mount a memory image as a browsable file system for fast triage; bulk_extractor/aeskeyfind to sweep for emails, URLs, and AES key schedules. Run all three against one image to feel their complementary strengths.
  • ๐Ÿ” WinPmem, AVML (Microsoft), LiME (504ensicsLabs), DumpIt (Magnet) โ€” GitHub. The free imagers named in the chapter. Read each README and note how it describes its own footprint โ€” you will be asked about it.
  • ๐Ÿ’พ The "encryption key from RAM" workflow (aeskeyfind / bulk_extractor โ†’ FVEK). For the recovery technician, the single most dramatic save in this chapter: a mounted, encrypted volume becomes readable from a live capture. Practice it on a test BitLocker/VeraCrypt VM.
  • ๐Ÿ“œ The Fifth-Amendment "seized key vs. compelled passphrase" literature. For the legal reader, the doctrine that makes live capture of an unlocked device so consequential โ€” pair it with Chapter 25.

Reference (this book)

Do, don't just read

  • Capture your own RAM, twice, and diff the hashes. Five minutes with WinPmem or AVML makes page smear real in your hands โ€” you will never be rattled by the "is it atomic?" question under cross-examination.
  • Work a public memory image end to end. Pull a practice image (Appendix J), run the full triage pass, diff pslist against psscan, find the injected region with malfind, and dump and hash the payload. You do not understand hollowing until you have watched the in-memory image fail to match the on-disk binary with your own eyes.
  • Recover a key from a live capture. Stand up a BitLocker or VeraCrypt test VM, capture its RAM while the volume is mounted, and pull the AES key with aeskeyfind. Feeling the "unrecoverable" volume open is the lesson of Case Study 2 learned the right way around.

Next: Chapter 23 โ€” Network Forensics: follow the beacon you found in memory out onto the wire โ€” packet captures, flow records, protocol analysis, and proving not just what ran on a host, but what it said to the world.