AAron Walters publishes FATKit: Detecting Malicious Library Injection and Upping the “Anti”, which discusses how the Forensic Analysis ToolKit (FATKit) can facilitate the process of enumerating suspicious artifacts manifested as a result of remote library injection. Previously published techniques focused on detecting attacks in real time, but this paper specifically focuses on the ability to extract memory-resident evidence from information systems under investigation. One significant differentiator from the majority of previous work is that the integrity of the potentially compromised operating system is not relied upon; instead, analysis is performed offline on a trusted capture of volatile memory (RAM).
