Memory Forensics

Analysis

Memory forensics involves analyzing RAM dumps to find malware, extract credentials, discover network connections, and uncover evidence that never touches disk. Volatility is the industry-standard framework.

Memory Acquisition

memory-forensics.sh

bash

# Windows - DumpIt (Magnet Forensics)
DumpIt.exe /O C:\Cases\memory.dmp

# Windows - FTK Imager
# File → Capture Memory → Select destination

# Linux - LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/cases/memory.lime format=lime"

# Linux - avml (Microsoft)
sudo ./avml output.lime

# Volatility 3 - Identify OS profile
python3 vol.py -f memory.dmp windows.info

# Common Volatility 3 plugins
python3 vol.py -f memory.dmp windows.pslist        # Running processes
python3 vol.py -f memory.dmp windows.pstree        # Process tree
python3 vol.py -f memory.dmp windows.netscan       # Network connections
python3 vol.py -f memory.dmp windows.cmdline       # Command lines
python3 vol.py -f memory.dmp windows.dlllist       # Loaded DLLs
python3 vol.py -f memory.dmp windows.handles       # Open handles
python3 vol.py -f memory.dmp windows.malfind       # Detect injected code
python3 vol.py -f memory.dmp windows.filescan      # Files in memory

Hunt for Malware

Use windows.malfind to detect process injection, hollowing, and reflective DLL loading. Look for PAGE_EXECUTE_READWRITE memory regions—common in malware.

Memory Forensics

Memory Acquisition

Related Topics

Malware Analysis

Windows Forensics