Advanced Memory Foren

Advanced Memory Forensics — The Science of Digital Resurrection

Memory forensics is the art of extracting evidence directly from RAM — the battlefield where malware executes, hides, and dies. Unlike disk forensics, memory analysis reveals what actually ran, not just what was stored.

This guide walks through acquisition, parsing, timeline reconstruction, injection detection, and live threat hunting using Volatility 3, Rekall, and related tools.

I. 🧩 Core Concepts

II. ⚙️ Memory Acquisition

🧠 1. Capture Memory Safely

Windows

winpmem.exe --output memdump.raw

Linux

sudo lime -o /mnt/memdump.lime -f raw

MacOS

osxpmem --output mem.raw

⚙️ 2. Validate Integrity

sha256sum memdump.raw

Always hash before and after transfer.

III. ⚙️ Environment Setup

IV. ⚙️ Basic Memory Triage

🧩 1. Identify OS / Profile

volatility3 -f memdump.raw windows.info

⚙️ 2. Process Listing

volatility3 -f memdump.raw windows.pslist

Example output:

System
explorer.exe
svchost.exe
malware.exe (PID 3141)

🧠 3. Cross-check Hidden Processes

volatility3 -f memdump.raw windows.psscan

If process exists in psscan but not in pslist → hidden/injected process.

V. ⚙️ Deep Process Inspection

🧩 1. View Command Lines

volatility3 -f memdump.raw windows.cmdline

⚙️ 2. Loaded DLLs

volatility3 -f memdump.raw windows.dlllist --pid 3141

Look for DLLs not from System32 or with suspicious paths like:

C:\Users\Public\evil.dll

🧠 3. Network Connections

volatility3 -f memdump.raw windows.netstat

Output example:

PID 3141  TCP 192.168.1.10:4444 -> 45.66.99.12:80

→ Indicates C2 beaconing.

VI. ⚙️ Injection & Hollowing Detection

🧩 1. Malfind (Core Plugin)

volatility3 -f memdump.raw windows.malfind

Highlights:

• Suspicious memory pages (PAGE_EXECUTE_READWRITE)

• Non-module code

• Hidden shellcode segments

⚙️ 2. Dump Injected Memory

volatility3 -f memdump.raw windows.malfind --dump

Saves .dmp files for deeper analysis in IDA/Ghidra.

💣 3. Hollowed Processes

Check parent-child mismatches:

volatility3 -f memdump.raw windows.pstree

Example:

explorer.exe → svchost.exe → calc.exe

If calc.exe shouldn’t exist → likely hollowed.

VII. ⚙️ Credential & Secrets Extraction

🧠 1. Dump LSASS

volatility3 -f memdump.raw windows.lsassextract

⚙️ 2. Extract Plaintext Passwords

volatility3 -f memdump.raw windows.hashdump

⚙️ 3. Manual LSASS Dump

volatility3 -f memdump.raw windows.memmap --pid <lsass_pid>

Dump for Mimikatz offline parsing.

VIII. ⚙️ Registry & Persistence in Memory

🧩 1. Extract Registry Hives

volatility3 -f memdump.raw windows.registry.hivelist

⚙️ 2. Query Autorun Keys

volatility3 -f memdump.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

🧠 3. UserAssist Artifacts

volatility3 -f memdump.raw windows.registry.userassist

Lists programs recently executed by user.

IX. ⚙️ Memory Strings and Artifact Mining

🧩 1. Search for Indicators

strings -a memdump.raw | grep -i "http"
strings memdump.raw | grep -i "flag"

⚙️ 2. Extract Keys or Commands

strings memdump.raw | grep -i "cmd.exe /c"
strings memdump.raw | grep -i "password="

🧠 3. YARA Scanning

yara -r malware_rules.yar memdump.raw

X. ⚙️ Timeline Reconstruction

🧩 1. Process Creation Timeline

volatility3 -f memdump.raw windows.psscan --output text | sort -k4

⚙️ 2. File Handles Timeline

volatility3 -f memdump.raw windows.handles

🧠 3. Combine for Attack Chain

Correlate:

• Process creation

• File writes

• Network connections

Result → full adversary timeline.

XI. ⚙️ Browser & User Data Recovery

🧩 1. Dump Browser History

volatility3 -f memdump.raw windows.chromehistory

⚙️ 2. Extract Clipboard

volatility3 -f memdump.raw windows.clipboard

💣 3. Search for Exfiltrated Data

strings memdump.raw | grep -i "ftp://"
strings memdump.raw | grep -i "base64,"

XII. ⚙️ Memory-Based Persistence & Rootkits

🧠 1. Check Kernel Hooks

volatility3 -f memdump.raw windows.driverirp
volatility3 -f memdump.raw windows.ssdt

If unexpected functions are hooked → rootkit present.

⚙️ 2. Loaded Drivers

volatility3 -f memdump.raw windows.driverscan

Suspicious indicators:

driver.sys  Unknown vendor

XIII. ⚙️ Live Memory Hunting (Threat Intel Ops)

🧩 1. Memory Mounting

memprocfs memdump.raw /mnt/memfs

Explore live:

ls /mnt/memfs/Processes/
cat /mnt/memfs/Processes/3141/memory

⚙️ 2. Compare Memory vs Disk

sha256sum /mnt/memfs/Processes/3141/exe > hash.txt
sha256sum /c/Windows/System32/svchost.exe

→ Hash mismatch → in-memory tampering.

XIV. ⚙️ Automation and Scripting

🧠 1. Python Script Example

import subprocess
plugins = ['windows.pslist', 'windows.malfind', 'windows.netstat']
for p in plugins:
    subprocess.run(['volatility3', '-f', 'memdump.raw', p])

⚙️ 2. Batch Command Example

for plugin in windows.pslist windows.netstat windows.malfind; do
  volatility3 -f memdump.raw $plugin >> report.txt
done

XV. ⚙️ Forensic Correlation Matrix

XVI. ⚙️ Memory Forensics with Volatility Plugins

XVII. ⚔️ Pro Tips & Operator Tricks

✅ Always Use pslist + psscan Together Comparing both reveals stealth processes.

✅ Malfind = Goldmine Every injection leaves a traceable memory region.

✅ Memory Hash Comparison Check hash mismatches between memory-executed and on-disk binaries.

✅ Dump First, Analyze Later Even if tools update, your dump remains valid forever.

✅ YARA + Memory = Instant Intel Scan volatile dumps with up-to-date threat signatures.

✅ Correlate Across Artifacts Registry + Process Tree + Network → attacker story reconstruction.

✅ Volatility3 FTW No profiles, automatic plugin mapping, and improved parsing for modern Windows versions.

XVIII. ⚙️ Quick Reference Table