Systems Already Rebooted -- Volatile Data Lost

The affected systems have already been rebooted (by users, IT, or automated patch processes) before memory could be captured. Running processes, network connections, injected code, and encryption keys that existed only in RAM are no longer recoverable.

Signals

•System uptime shows a recent reboot that postdates the suspected compromise
•IR team arrived after IT or the end user had already restarted the machine
•EDR telemetry shows a gap corresponding to the reboot, and pre-reboot process data is incomplete

Pivot Actions

1.Analyze pagefile.sys and hiberfil.sys for remnants of memory-resident artifacts (strings, injected DLLs, process fragments)
2.Review EDR memory-protection telemetry (LSASS access, process injection alerts) captured before the reboot
3.Extract crash dumps (MEMORY.DMP, minidumps in %SystemRoot%\Minidump) that may contain process snapshots
4.Reconstruct running processes from Prefetch, AmCache, ShimCache, and SRUM artifacts which persist across reboots

Alternate Evidence Sources

•Pagefile.sys and hiberfil.sys for partial memory content recovery
•Crash dump files (MEMORY.DMP, minidump) if a BSOD occurred
•Prefetch, AmCache, ShimCache, and SRUM database for historical execution evidence
•EDR cloud-stored telemetry captured before the reboot event

Related Procedures

Volatile Memory Capture

preserve

EDR Telemetry Collection

collect

Identify Patient Zero (First Compromised System)

triage