There is more...

If you are planning to use Volatility for memory forensic analysis (and we highly recommend it, because it is the most powerful tool, with lots of plugins, and also it is free and open source), it's very important to choose the right profile. To do this, you will need to know the system type, operating system version, and build number. As you have already learned from the previous recipes, the imageinfo plugin can help you with this task if this information wasn't properly documented during the acquisition stage.

Table 2.1 contains information about profiles added to the most recent version of the Volatility Framework at the time of writing.

Also, it's important to note that on all x64 Windows 8/2012 (and later), the KDBG (which contains a list of the running processes and loaded kernel modules) is encrypted by default, so you should use the virtual address of KdCopyDataBlock. Both addresses can be collected with the kdbgscan Volatility plugin.