Memory Forensics

Overview

Memory forensics involves capturing and analyzing the contents of volatile memory (RAM). Unlike disk forensics, memory analysis reveals runtime state — running processes, network connections, loaded modules, encryption keys, and injected code that may never touch disk. Memory forensics is critical for detecting fileless malware, rootkits, and in-memory-only indicators of compromise.

Topics in This Section

• Memory Acquisition — capturing RAM from live systems and virtual machines while preserving volatile evidence
• Volatility Framework — using Volatility 3 for comprehensive memory analysis on Windows and Linux images
• Process Analysis — examining process trees, loaded modules, handles, and command-line arguments
• Memory-Based Malware Hunting — detecting injected code, hollowed processes, rootkits, and suspicious memory regions

General Approach

Incident detected / live system available
    │
    ├── Acquire memory dump
    │   ├── Linux: /proc/kcore, LiME, AVML
    │   ├── Windows: WinPmem, DumpIt, FTK Imager
    │   └── VMs: snapshot + vmem extraction
    │
    ├── Identify OS profile / symbol tables
    │   └── vol -f dump.raw windows.info / linux.bash
    │
    ├── Process analysis
    │   ├── Process listing (PsList, PsTree, PsScan)
    │   ├── DLL and module enumeration
    │   ├── Command-line arguments
    │   └── Network connections
    │
    ├── Malware hunting
    │   ├── Malfind → injected code detection
    │   ├── LdrModules → hidden DLLs
    │   ├── SSDT / IDT hooks
    │   └── YARA scanning in memory
    │
    └── Extract artifacts (files, registry, credentials)