Native Memory Forensics

Among different approaches to memory forensics (investigation of past system or process structure and behaviour recorded in memory snapshots) native memory forensic analysis is done using native OS debuggers such as WinDbg from Debugging Tools for Windows or GDB (Linux) or GDB/LLDB (Mac OS X). Such approach is an integral part of software diagnostics (investigation of signs of software structure and behaviour in software execution artefacts) and was introduced as a part of pattern-oriented software forensics:

http://www.dumpanalysis.org/pattern-oriented-memory-forensics
http://www.dumpanalysis.org/pattern-language-memory-forensics

Software Diagnostics Services offers comprehensive self-paced training courses in native memory forensics for Windows platforms using WinDbg and memory dumps in hands-on exercises:

http://www.patterndiagnostics.com/accelerated-windows-malware-analysis-b...
http://www.patterndiagnostics.com/practical-foundations-windows-debuggin...
http://www.patterndiagnostics.com/accelerated-disassembly-reconstruction...

Their training courses (which also includes malware and rootkit detection, disassembly and reversing as an integral part of forensic investigation) teach various pattern languages (such as memory analysis pattern language, malware analysis patterns, and ADDR patterns) that can be used with other memory forensic analysis tools.