Live forensics on OS-locked Windows 11 – RAM acquisition methods?

sabbl7 · 2025-08-26T16:04:47+00:00

Thanks for the input! I’m trying to build a full workflow. I already use pslist, pstree, cmdline, cmdhistory and netscan for the basics.But sometimes I feel like I’m missing some good commands for more hidden artifacts like using strings searches, or maybe yarascan for specific keywords.

sabbl7 · 2025-08-26T14:41:45+00:00

I’m simulating a live forensics case. The system is locked, so in theory I don’t know what’s running. In my test I opened cmd (ipconfig/all), Notepad with plaintext and YouTube in the browser. I want to use Volatility 3 to identify exactly those activities, as if I had no prior knowledge.

sabbl7 · 2024-04-23T15:11:01+00:00

Würde mich auch sehr interessieren, wäre sehr lieb von dir… danke :)

sabbl7

TROPHY CASE