dfir
blue team
volatility
memory forensics
Is a free memory forensics tool developed and maintained by Volatility labs.
Gold standard for memory forensics in incident response.
You can capture the memory of Live machines using the following tools:
These tools typically output a .raw file containing an image of system memory.
You can pull the memory of offline machines relatively easily by pulling the %SystemDrive%/hiberfil.sys file.
This is the windows hibernation file and contains a compressed memory image from the previous boot.
Ms uses this to provide faster boot up times, but we can use it for memory forensics.
For virtual machines you can target the following files:
VMWARE - .vmem file
HYPER-V - .bin file
Parallels - .mem file
Virtual box - .sav file. Note that you will need to dump memory like a baremetal sys for this hypervisor since the .sav file is only a partial memory file.
These files can be found in the datastore of the corresponding hypervisor and can often be copied without shutting the vm off. This makes for minimal disruption :)
Here is a good Volatility 3 cheatsheet by Ashley Pearson you might be interested in. It has the differences between the commands used in Volatility 2.x and 3.x and is pretty neat imo :)