[Vol-users] Howdy

Please forgive my noobness. I am new to Volatility and just viewed a discussion on memory acquisition problems and the malware removing itself from the memory before it was written to file for later analysis. Does malware such as Rustock.C leave any traces behind such as portions of the program used to "remove" itself from memory but cannot completely remove itself? Of if not, how do the researchers know it was present? Did they do a controlled infection and watch it remove itself by other means? Thanx Julian