Open Skills Logo
Open Skills

memory-forensics

Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

View Source
name:memory-forensicsdescription:Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

Memory Forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

Use this skill when

  • Working on memory forensics tasks or workflows

  • Needing guidance, best practices, or checklists for memory forensics

    • Do not use this skill when

  • The task is unrelated to memory forensics

  • You need a different domain or tool outside this scope

    • Instructions

  • Clarify goals, constraints, and required inputs.

  • Apply relevant best practices and validate outcomes.

  • Provide actionable steps and verification.

  • If detailed examples are required, open resources/implementation-playbook.md.

    • Memory Acquisition

    Live Acquisition Tools

    Windows

    # WinPmem (Recommended)
    winpmem_mini_x64.exe memory.raw
    DumpIt

    DumpIt.exe
    Belkasoft RAM Capturer

    GUI-based, outputs raw format
    Magnet RAM Capture

    GUI-based, outputs raw format

    Linux

    # LiME (Linux Memory Extractor)
    sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
    /dev/mem (limited, requires permissions)

    sudo dd if=/dev/mem of=memory.raw bs=1M
    /proc/kcore (ELF format)

    sudo cp /proc/kcore memory.elf

    macOS

    # osxpmem
    sudo ./osxpmem -o memory.raw
    MacQuisition (commercial)

    Virtual Machine Memory

    # VMware: .vmem file is raw memory
    cp vm.vmem memory.raw
    VirtualBox: Use debug console

    vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
    QEMU

    virsh dump <domain> memory.raw --memory-only
    Hyper-V

    Checkpoint contains memory state

    Volatility 3 Framework

    Installation and Setup

    # Install Volatility 3
    pip install volatility3
    Install symbol tables (Windows)

    Download from https://downloads.volatilityfoundation.org/volatility3/symbols/
    Basic usage

    vol -f memory.raw <plugin>
    With symbol path

    vol -f memory.raw -s /path/to/symbols windows.pslist

    Essential Plugins

    Process Analysis

    # List processes
    vol -f memory.raw windows.pslist
    Process tree (parent-child relationships)

    vol -f memory.raw windows.pstree
    Hidden process detection

    vol -f memory.raw windows.psscan
    Process memory dumps

    vol -f memory.raw windows.memmap --pid <PID> --dump
    Process environment variables

    vol -f memory.raw windows.envars --pid <PID>
    Command line arguments

    vol -f memory.raw windows.cmdline

    Network Analysis

    # Network connections
    vol -f memory.raw windows.netscan
    Network connection state

    vol -f memory.raw windows.netstat

    DLL and Module Analysis

    # Loaded DLLs per process
    vol -f memory.raw windows.dlllist --pid <PID>
    Find hidden/injected DLLs

    vol -f memory.raw windows.ldrmodules
    Kernel modules

    vol -f memory.raw windows.modules
    Module dumps

    vol -f memory.raw windows.moddump --pid <PID>

    Memory Injection Detection

    # Detect code injection
    vol -f memory.raw windows.malfind
    VAD (Virtual Address Descriptor) analysis

    vol -f memory.raw windows.vadinfo --pid <PID>
    Dump suspicious memory regions

    vol -f memory.raw windows.vadyarascan --yara-rules rules.yar

    Registry Analysis

    # List registry hives
    vol -f memory.raw windows.registry.hivelist
    Print registry key

    vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
    Dump registry hive

    vol -f memory.raw windows.registry.hivescan --dump

    File System Artifacts

    # Scan for file objects
    vol -f memory.raw windows.filescan
    Dump files from memory

    vol -f memory.raw windows.dumpfiles --pid <PID>
    MFT analysis

    vol -f memory.raw windows.mftscan

    Linux Analysis

    # Process listing
    vol -f memory.raw linux.pslist
    Process tree

    vol -f memory.raw linux.pstree
    Bash history

    vol -f memory.raw linux.bash
    Network connections

    vol -f memory.raw linux.sockstat
    Loaded kernel modules

    vol -f memory.raw linux.lsmod
    Mount points

    vol -f memory.raw linux.mount
    Environment variables

    vol -f memory.raw linux.envars

    macOS Analysis

    # Process listing
    vol -f memory.raw mac.pslist
    Process tree

    vol -f memory.raw mac.pstree
    Network connections

    vol -f memory.raw mac.netstat
    Kernel extensions

    vol -f memory.raw mac.lsmod

    Analysis Workflows

    Malware Analysis Workflow

    # 1. Initial process survey
    vol -f memory.raw windows.pstree > processes.txt
    vol -f memory.raw windows.pslist > pslist.txt
    2. Network connections

    vol -f memory.raw windows.netscan > network.txt
    3. Detect injection

    vol -f memory.raw windows.malfind > malfind.txt
    4. Analyze suspicious processes

    vol -f memory.raw windows.dlllist --pid <PID>
    vol -f memory.raw windows.handles --pid <PID>
    5. Dump suspicious executables

    vol -f memory.raw windows.pslist --pid <PID> --dump
    6. Extract strings from dumps

    strings -a pid.<PID>.exe > strings.txt
    7. YARA scanning

    vol -f memory.raw windows.yarascan --yara-rules malware.yar

    Incident Response Workflow

    # 1. Timeline of events
    vol -f memory.raw windows.timeliner > timeline.csv
    2. User activity

    vol -f memory.raw windows.cmdline
    vol -f memory.raw windows.consoles
    3. Persistence mechanisms

    vol -f memory.raw windows.registry.printkey \
        --key "Software\Microsoft\Windows\CurrentVersion\Run"
    4. Services

    vol -f memory.raw windows.svcscan
    5. Scheduled tasks

    vol -f memory.raw windows.scheduled_tasks
    6. Recent files

    vol -f memory.raw windows.filescan | grep -i "recent"

    Data Structures

    Windows Process Structures

    // EPROCESS (Executive Process)
    typedef struct _EPROCESS {
        KPROCESS Pcb;                    // Kernel process block
        EX_PUSH_LOCK ProcessLock;
        LARGE_INTEGER CreateTime;
        LARGE_INTEGER ExitTime;
        // ...
        LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
        ULONG_PTR UniqueProcessId;       // PID
        // ...
        PEB Peb;                        // Process Environment Block
        // ...
    } EPROCESS;
    // PEB (Process Environment Block)
    typedef struct _PEB {
        BOOLEAN InheritedAddressSpace;
        BOOLEAN ReadImageFileExecOptions;
        BOOLEAN BeingDebugged;           // Anti-debug check
        // ...
        PVOID ImageBaseAddress;          // Base address of executable
        PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
        PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
        // ...
    } PEB;

    VAD (Virtual Address Descriptor)

    typedef struct _MMVAD {
        MMVAD_SHORT Core;
        union {
            ULONG LongFlags;
            MMVAD_FLAGS VadFlags;
        } u;
        // ...
        PVOID FirstPrototypePte;
        PVOID LastContiguousPte;
        // ...
        PFILE_OBJECT FileObject;
    } MMVAD;
    // Memory protection flags
    #define PAGE_EXECUTE           0x10
    #define PAGE_EXECUTE_READ      0x20
    #define PAGE_EXECUTE_READWRITE 0x40
    #define PAGE_EXECUTE_WRITECOPY 0x80

    Detection Patterns

    Process Injection Indicators

    # Malfind indicators
    - PAGE_EXECUTE_READWRITE protection (suspicious)

    - MZ header in non-image VAD region

    - Shellcode patterns at allocation start
    Common injection techniques

    1. Classic DLL Injection

       - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
    2. Process Hollowing

       - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory
    3. APC Injection

       - QueueUserAPC targeting alertable threads
    4. Thread Execution Hijacking

       - SuspendThread + SetThreadContext + ResumeThread

    Rootkit Detection

    # Compare process lists
    vol -f memory.raw windows.pslist > pslist.txt
    vol -f memory.raw windows.psscan > psscan.txt
    diff pslist.txt psscan.txt  # Hidden processes
    Check for DKOM (Direct Kernel Object Manipulation)

    vol -f memory.raw windows.callbacks
    Detect hooked functions

    vol -f memory.raw windows.ssdt  # System Service Descriptor Table
    Driver analysis

    vol -f memory.raw windows.driverscan
    vol -f memory.raw windows.driverirp

    Credential Extraction

    # Dump hashes (requires hivelist first)
    vol -f memory.raw windows.hashdump
    LSA secrets

    vol -f memory.raw windows.lsadump
    Cached domain credentials

    vol -f memory.raw windows.cachedump
    Mimikatz-style extraction

    Requires specific plugins/tools

    YARA Integration

    Writing Memory YARA Rules

    rule Suspicious_Injection
    {
        meta:
            description = "Detects common injection shellcode"
        strings:
            // Common shellcode patterns
            $mz = { 4D 5A }
            $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
            $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call
        condition:
            $mz at 0 or any of ($shellcode    )
    }
    rule Cobalt_Strike_Beacon
    {
        meta:
            description = "Detects Cobalt Strike beacon in memory"
        strings:
            $config = { 00 01 00 01 00 02 }
            $sleep = "sleeptime"
            $beacon = "%s (admin)" wide
        condition:
            2 of them
    }

    Scanning Memory

    # Scan all process memory
    vol -f memory.raw windows.yarascan --yara-rules rules.yar
    Scan specific process

    vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
    Scan kernel memory

    vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel

    String Analysis

    Extracting Strings

    # Basic string extraction
    strings -a memory.raw > all_strings.txt
    Unicode strings

    strings -el memory.raw >> all_strings.txt
    Targeted extraction from process dump

    vol -f memory.raw windows.memmap --pid 1234 --dump
    strings -a pid.1234.dmp > process_strings.txt
    Pattern matching

    grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt

    FLOSS for Obfuscated Strings

    # FLOSS extracts obfuscated strings
    floss malware.exe > floss_output.txt
    From memory dump

    floss pid.1234.dmp

    Best Practices

    Acquisition Best Practices

  • Minimize footprint: Use lightweight acquisition tools

  • Document everything: Record time, tool, and hash of capture

  • Verify integrity: Hash memory dump immediately after capture

  • Chain of custody: Maintain proper forensic handling

    • Analysis Best Practices

  • Start broad: Get overview before deep diving

  • Cross-reference: Use multiple plugins for same data

  • Timeline correlation: Correlate memory findings with disk/network

  • Document findings: Keep detailed notes and screenshots

  • Validate results: Verify findings through multiple methods

    • Common Pitfalls

  • Stale data: Memory is volatile, analyze promptly

  • Incomplete dumps: Verify dump size matches expected RAM

  • Symbol issues: Ensure correct symbol files for OS version

  • Smear: Memory may change during acquisition

  • Encryption: Some data may be encrypted in memory

      • memory-forensics - Agent Skills