Look for suspicious or out-of-place processes (e.g., cmd.exe , powershell.exe , or renamed malware).
vol.py -f battleofhooverdam.raw --profile=[PROFILE] pslist 3. Inspect Network Connections battleofhooverdam.7z
Search for active connections to unknown IP addresses or ports. Look for suspicious or out-of-place processes (e
Attackers often leave clues in the command history or environment variables. battleofhooverdam.7z
If the file contains a disk image rather than memory.