Memory Forensics
Analysis
Memory forensics captures what disk often misses: running processes, network sessions, injected code, decrypted secrets, and malware that never wrote a full payload to storage. Acquire RAM early and analyze it from a verified copy.
Volatile Evidence Window
Every minute matters. Reboots, EDR containment, and user logoff can erase memory artifacts. Coordinate with the incident commander before isolating or powering off systems when memory evidence is likely to matter.
Acquisition and Triage
bash
# Windows acquisition options
# - Magnet DumpIt / Magnet RAM Capture
# - FTK Imager: File > Capture Memory
# - EDR live response memory package where available
# Linux acquisition with AVML
sudo ./avml host01-memory.lime
sha256sum host01-memory.lime > host01-memory.lime.sha256
# Volatility 3 basic triage
python3 vol.py -f host01-memory.lime windows.info
python3 vol.py -f host01-memory.lime windows.pslist
python3 vol.py -f host01-memory.lime windows.pstree
python3 vol.py -f host01-memory.lime windows.cmdline
python3 vol.py -f host01-memory.lime windows.netscan
python3 vol.py -f host01-memory.lime windows.malfind
python3 vol.py -f host01-memory.lime windows.filescan
python3 vol.py -f host01-memory.lime windows.registry.hivelist# Windows acquisition options
# - Magnet DumpIt / Magnet RAM Capture
# - FTK Imager: File > Capture Memory
# - EDR live response memory package where available
# Linux acquisition with AVML
sudo ./avml host01-memory.lime
sha256sum host01-memory.lime > host01-memory.lime.sha256
# Volatility 3 basic triage
python3 vol.py -f host01-memory.lime windows.info
python3 vol.py -f host01-memory.lime windows.pslist
python3 vol.py -f host01-memory.lime windows.pstree
python3 vol.py -f host01-memory.lime windows.cmdline
python3 vol.py -f host01-memory.lime windows.netscan
python3 vol.py -f host01-memory.lime windows.malfind
python3 vol.py -f host01-memory.lime windows.filescan
python3 vol.py -f host01-memory.lime windows.registry.hivelistWhat to Look For
Process Clues
- Parent-child chains that do not match normal application behavior.
- Command lines containing encoded scripts, suspicious temp paths, or unusual LOLBins.
- Processes with missing paths, odd names, or unexpected integrity levels.
- Injected memory regions flagged by malfind.
Network Clues
- Established outbound sessions from unusual processes.
- Connections to rare domains, direct IPs, or unexpected regions.
- Listening ports that do not match installed services.
- DNS cache entries tied to incident timeline events.
Analysis Notes Template
yaml
artifact: memory-image
host: host01.example.local
image_hash_sha256: <SHA256>
plugins_run:
- windows.info
- windows.pslist
- windows.pstree
- windows.cmdline
- windows.netscan
- windows.malfind
high_value_observations:
- pid 4321 spawned unusual script interpreter at 2026-05-26T14:31Z
- outbound session to rare destination observed in memory and firewall logs
follow_up:
- acquire disk image for host01
- export EDR process tree around first seen timestamp
- compare network indicators against proxy and DNS logsartifact: memory-image
host: host01.example.local
image_hash_sha256: <SHA256>
plugins_run:
- windows.info
- windows.pslist
- windows.pstree
- windows.cmdline
- windows.netscan
- windows.malfind
high_value_observations:
- pid 4321 spawned unusual script interpreter at 2026-05-26T14:31Z
- outbound session to rare destination observed in memory and firewall logs
follow_up:
- acquire disk image for host01
- export EDR process tree around first seen timestamp
- compare network indicators against proxy and DNS logsCorrelate, Don't Overclaim
Memory artifacts are strongest when correlated with endpoint telemetry, DNS/proxy logs, authentication events, and file-system timestamps. Record plugin versions and image hashes so another analyst can reproduce your findings.