Comae Memory and network analysis: Beginning an incident investigation

A common scenario for SOC’s and IR teams is being handed a piece of evidence and being asked to “Find Evil.” Those on the receiving end know this to be a broad ask. If there is a known good image to compare things to, the process may be easier, but not all organizations have a gold build available for comparison.