Open Skills Logo
Open Skills

memory-forensics

Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

Author

@sickn33

Category

Other Tools

Install

Hot:9

Download and extract to your skills directory

Copy command and send to OpenClaw for auto-install:

Download and install this skill https://openskills.cc/api/download?slug=sickn33-skills-memory-forensics&locale=en&source=copy

Memory Forensics - Memory Forensics Techniques

Skills Overview

Memory Forensics provides comprehensive guidance on memory forensics techniques, covering memory acquisition, process analysis, artifact extraction, and malware detection. It uses the Volatility 3 framework to help security analysts perform incident response and threat hunting.

Use Cases

  • Incident Response and Case Investigation — When a system is compromised or suspected of being infected by malware, analyzing memory dumps can quickly identify malicious activity, extract malicious samples, and reconstruct the attack timeline—providing critical evidence for incident handling.

  • Malware Reverse Engineering — Extract malicious code from runtime memory, decrypt configuration data, analyze process injection techniques, and identify C2 communication characteristics to support a deeper understanding of malware behavior.

  • Threat Hunting and Detection Engineering — Proactively scan memory for persistence mechanisms, look for hidden processes, detect rootkit indicators, and create memory detection rules to enhance security detection capabilities.

    • Core Features

  • Cross-Platform Memory Acquisition — Covers memory collection methods and tool usage for Windows (WinPmem, DumpIt), Linux (LiME), macOS (osxpmem), and virtual machines (VMware, VirtualBox, QEMU).

  • In-Depth Analysis with Volatility 3 — Provides complete plugin usage workflows for process analysis (pslist, pstree, psscan), network connections (netscan), DLL/module detection, memory injection detection (malfind), and artifact extraction from registries and file systems.

  • Detection Modes and Workflows — Includes hands-on guidance for a malware analysis workflow, standard incident response procedures, process injection detection modes, rootkit identification methods, YARA rule writing and scanning, string analysis, and more.

    • Frequently Asked Questions

    What’s the difference between Memory Forensics and Disk Forensics?

    Memory forensics analyzes a system’s runtime state (RAM). It can capture information that does not exist on disk: data before encryption, running processes, network connections, clipboard contents, unsaved files, decrypted passwords, and so on. Disk forensics mainly analyzes data stored persistently. They complement each other and are typically used together in investigations.

    Which operating systems does Volatility 3 support?

    Volatility 3 supports memory analysis for Windows (from XP to Windows 11), Linux, and macOS. Different systems require corresponding symbol tables to correctly parse data structures. Windows analysis is the most mature, with the richest plugin set; Linux supports common distributions; macOS support is relatively limited but still usable.

    How do you detect process injection in memory?

    Using Volatility’s malfind plugin, you can detect suspicious memory injection indicators such as memory regions with PAGE_EXECUTE_READWRITE permissions, the presence of MZ file headers in non-image VAD regions, and typical shellcode patterns. Combined with vadinfo analysis of memory protection attributes and dlllist checks for abnormal DLL loads, you can comprehensively determine whether injection behavior exists.