Memory Forensics
Sophisticated malware often resides only in memory (fileless) or hides its presence from the OS using rootkit techniques. Memory forensics allows you to take a snapshot of RAM and analyze the true state of the system, bypassing OS lies.
1. Acquiring Memory
You cannot analyze RAM if you don't capture it first.
- Virtual Machines: Pause the VM and grab the
.vmemfile (VMware) or use the snapshot file. - Live Systems: Use tools like DumpIt or FTK Imager to save the contents of RAM to a file (e.g.,
memdump.raw).
2. Volatility 3
Volatility is the industry standard framework for memory analysis.
# Basic Usage Syntax
python3 vol.py -f <image_file> <plugin>
Essential Plugins
windows.pslist Lists running processes. Look for suspicious names or standard processes running from wrong paths (e.g., svchost.exe in /Temp).
windows.pstree
Shows parent-child relationships. Look for anomalies like word.exe spawning powershell.exe.
windows.netscan Lists active network connections. Identify the C2 server IP address.
windows.malfind Scans for injected code (process hollowing/DLL injection) by looking for executable memory pages that are not backed by a file on disk.
Interactive Tool: IOC Extractor
When you run strings on a memory dump or use netscan, you get a lot of text. Use this tool to quickly pull out IPs and Domains.
IOC Extractor
Paste text, logs, or strings output below to extract potential Indicators of Compromise.