vol -f memory.dump windows.dumpfiles --pid 1234
| Resource | Format | Portability | Depth | | :--- | :--- | :--- | :--- | | (SP 800-86) | PDF | High | Theoretical | | 13Cubed’s Windows Forensic Course (labs) | Web + VMDK | Medium | Very high | | SANS FOR500 / FOR508 Lab Guides | Proprietary + VM | Low | Expert | | Digital Corpora (sample images) | Torrent / HTTP | N/A | Artifacts only | | DFIR Science - Practical Windows Forensics | PDF + GitHub | Medium-High | High | vol -f memory