Optaining a memory dump
Get a memory dump from your suspect machine.
For the following actions, I've used WinPmem with good results. The page gives you tools for OS X and Linux as well.
winpmem_1.6.2.exe vaio_mem.dmp
Loaded Driver C:\Users\Admin\AppData\Local\Temp\pmeECC6.tmp.
Deleting C:\Users\Admin\AppData\Local\Temp\pmeECC6.tmp
Will generate a RAW image
CR3: 0x0000187000
7 memory ranges:
Start 0x00001000 - Length 0x0009D000
Start 0x00100000 - Length 0xCF326000
Start 0xCF58E000 - Length 0x00003000
Start 0xCF5E8000 - Length 0x00159000
Start 0xCF791000 - Length 0x00004000
Start 0xCF7E8000 - Length 0x00015000
Start 0x100000000 - Length 0xAF800000
Acquitision mode PTE Remapping
Padding from 0x00000000 to 0x00001000
.
00% 0x00001000 .
Padding from 0x0009E000 to 0x00100000
.
00% 0x00100000 ..................................................
00% 0x03300000 ..................................................
01% 0x06500000 ..................................................
02% 0x09700000 ..................................................
02% 0x0C900000 ..................................................
03% 0x0FB00000 ..................................................
04% 0x12D00000 ..................................................
05% 0x15F00000 ..................................................
05% 0x19100000 ..................................................
06% 0x1C300000 ..................................................
07% 0x1F500000 ..................................................
07% 0x22700000 ..................................................
08% 0x25900000 ..................................................
09% 0x28B00000 ..................................................
98% 0x1A8C00000 ..................................................
99% 0x1ABE00000 ..................................................
99% 0x1AF000000 ........
Driver Unloaded.
And finally you've got your file.