Memory Forensics

Volatility Framework & RAM Analysis

Section 6 of 12

Why Memory Forensics?

Volatile Evidence

RAM contains live system state - running processes, network connections, encryption keys, passwords, and malware that never touches disk.

What's in Memory?

  • Running processes and DLLs
  • Network connections
  • Registry keys in use
  • Passwords and encryption keys
  • Malware (fileless attacks)
  • Command history

Use Cases

Malware Analysis

Detect fileless malware, rootkits, and code injection

Incident Response

Capture live system state during active breach

Data Recovery

Extract passwords, keys, and sensitive data

⚠️ Critical

Memory is lost on shutdown! Capture immediately during incident response.

Memory Acquisition Tools

WinPMEM (Windows)

Open-source memory acquisition tool for Windows by Google

# Acquire memory to file

winpmem_mini_x64.exe memory.raw

# With compression

winpmem_mini_x64.exe -o memory.aff4

LiME (Linux Memory Extractor)

Loadable kernel module for Linux memory acquisition

# Load LiME module

sudo insmod lime.ko "path=/evidence/memory.lime format=lime"

# Over network

sudo insmod lime.ko "path=tcp:4444 format=lime"

FTK Imager (GUI)

User-friendly tool with live memory capture feature

  • • File → Capture Memory
  • • Choose destination and filename
  • • Creates both memory dump and pagefile
  • • Automatic verification

Volatility Framework

Volatility is the industry-standard open-source framework for memory analysis. Supports Windows, Linux, and Mac memory dumps.

Volatility 2

Python 2.7-based (legacy but widely used)

vol.py -f memory.raw imageinfo

Volatility 3

Python 3, faster, better symbol support

vol -f memory.raw windows.info

Essential Volatility Commands

# Identify OS profile

vol.py -f memory.raw imageinfo

# List running processes

vol.py -f memory.raw --profile=Win7SP1x64 pslist

# Scan for hidden processes

vol.py -f memory.raw --profile=Win7SP1x64 psscan

# View network connections

vol.py -f memory.raw --profile=Win7SP1x64 netscan

# Dump process memory

vol.py -f memory.raw --profile=Win7SP1x64 memdump -p 1234 -D output/

Process Analysis & Detection

Key Commands

  • pslist - Active processes
  • psscan - Scan for hidden processes
  • pstree - Process hierarchy
  • dlllist - Loaded DLLs per process
  • handles - Open file/registry handles
  • cmdline - Command line arguments

What to Look For

🚩 Suspicious Indicators

  • • Processes with no parent (PPID orphaned)
  • • Unusual process names or paths
  • • Code injection (DLL injection)
  • • Processes running from temp directories
  • • Misspelled system processes

Detecting Malware in Memory

Technique: Malfind

Detects injected code and DLLs

vol.py -f memory.raw --profile=Win7SP1x64 malfind

What Malfind Finds

  • • Hidden/injected code
  • • Executable pages in process memory
  • • DLL injection evidence
  • • Packed/obfuscated code

Network Connections & Credentials

Network Analysis

Commands

# Active connections

netscan

# Network stats

netstat

# Socket details

sockets

Information Revealed

  • • Active TCP/UDP connections
  • • Local and remote IP addresses
  • • Ports in use
  • • Process to connection mapping
  • • Listening services

Credential Extraction

Extract passwords, hashes, and keys from memory

Mimikatz (External Tool)

Extract plaintext passwords from LSASS

mimikatz.exe "sekurlsa::logonpasswords" "exit"

Volatility Plugins

  • hashdump - Extract password hashes
  • lsadump - LSA secrets
  • mimikatz - Volatility plugin version