Now that you have performed investigations in the infrastructure (refer to Chapter 4, Using Python for Network Forensics), common IT equipment (refer to Chapter 3, Using Python for Windows and Linux Forensics), and even in the virtualized (refer to Chapter 5, Using Python for Virtualization Forensics) and mobile worlds (refer to Chapter 6, Using Python for Mobile Forensics), in this chapter, we will show you how to investigate in volatile memory with the help of Volatility, a Python-based forensics framework, on the following platforms:
Android
Linux
After showing you some basic Volatility plugins for Android and Linux and how to get the required RAM dump for analysis, we will go hunting for malware in RAM. Therefore, we will use YARA rules—based on pattern matching—and combine them with the power of Volatility.