So over the course or Luka's thread on his research the subject of testing your acquisition tools came up.

I know this topic has been mentioned before (in one of my own past posts), but what is the requirement for memory acquisition tools to be working "properly"?  Especially since each time you run the test against a memory image that image has changed.

What steps, at a minimum, should you be making sure that the tool you are using/evaluating is doing what it should be doing?  Listing processes correctly?  Showing the correct artifacts if I have Zeus on the image?

The topic always seems to come up (even with physical devices) that you have to test your tools, with no one ever saying what checkmarks you have to make sure the tools does.

Thanks,

Tom