Hi,
I'd also consider running a virtual machine from the forensic image and monitor network activity coming from the potentially infected machine. There might be more calls to foreign IP addresses than was captured in the memory dump at the time that was done.
You can also do a packet analysis of what the machine is trying to send out as part of that process. This might give you clues of where to look next on the computer.
Steve
↧
