FIGURE 3.1

The High-level Investigation Process.

Some systems can be shut down with minimal business disruption. In our example case the subject system is a developer workstation which is normally not terribly painful to take offline. The only person affected by this is the developer. His or her productivity has already been affected by malware we have discovered. In a case like this you might decide to dump the RAM and proceed to dead analysis. If this is what you have chosen to do, you can safely skip ahead to the section of this chapter on dumping RAM.