Introduction to Memory Forensics
Memory forensics involves analyzing a computer's volatile memory (RAM) to investigate security incidents, malware infections, and system compromises. Unlike disk forensics, memory analysis captures the live state of a system, including running processes, network connections, and decrypted data.
Why Memory Forensics?
- Live System State: Capture running processes, loaded drivers, and active network connections
- Uncover Hidden Malware: Detect rootkits and process injection that hide from traditional tools
- Decrypt Data: Access encryption keys and passwords stored in memory
- Timeline Reconstruction: Build a timeline of system activity
- Incident Response: Quickly triage compromised systems
Memory Acquisition
Windows Memory Acquisition
DumpIt (Recommended for Windows)
# Run as Administrator
DumpIt.exe
# Creates a .raw file in the same directory
# File will be named: HOSTNAME-YYYYMMDD-HHMMSS.rawFTK Imager
# GUI Tool
# File -> Capture Memory
# Select destination and filename
# Creates .mem fileWinPmem
# Command-line memory acquisition
winpmem_mini_x64.exe memory.raw
# With compression
winpmem_mini_x64.exe -c memory.aff4Linux Memory Acquisition
LiME (Linux Memory Extractor)
# Install LiME
git clone https://github.com/504ensicsLabs/LiME
cd LiME/src
make
# Load the kernel module
sudo insmod lime-$(uname -r).ko "path=/tmp/memory.lime format=lime"
# For remote acquisition
sudo insmod lime-$(uname -r).ko "path=tcp:4444 format=lime"
# On receiving machine
nc -l -p 4444 > memory.limeAVML (Azure Memory Logger)
# Download and run
sudo ./avml memory.limeVolatility Framework
Volatility is the most popular open-source memory forensics framework, supporting analysis of Windows, Linux, and macOS memory dumps.
Installation
# Volatility 2 (Python 2)
git clone https://github.com/volatilityfoundation/volatility.git
cd volatility
python setup.py install
# Volatility 3 (Python 3 - Recommended)
pip3 install volatility3Essential Volatility 3 Commands
Image Information
# Get image information (no profile needed in Vol3)
vol3 -f memory.dmp windows.info
# For Volatility 2, identify profile first
vol.py -f memory.dmp imageinfo
vol.py -f memory.dmp kdbgscanProcess Analysis
# List running processes
vol3 -f memory.dmp windows.pslist
# Process tree view
vol3 -f memory.dmp windows.pstree
# Show hidden/terminated processes
vol3 -f memory.dmp windows.psscan
# Command line arguments for each process
vol3 -f memory.dmp windows.cmdline
# Environment variables
vol3 -f memory.dmp windows.envars
# Process handles (files, registry keys, etc.)
vol3 -f memory.dmp windows.handles --pid 1234Network Analysis
# Network connections
vol3 -f memory.dmp windows.netscan
# Network statistics
vol3 -f memory.dmp windows.netstatDLL Analysis
# List loaded DLLs for all processes
vol3 -f memory.dmp windows.dlllist
# DLLs for specific process
vol3 -f memory.dmp windows.dlllist --pid 1234
# Detect unlinked DLLs (rootkit technique)
vol3 -f memory.dmp windows.ldrmodulesMalware Analysis
Detecting Malicious Activity
Process Injection Detection
# Malfind - Detect injected code and DLLs
vol3 -f memory.dmp windows.malfind
# Look for PAGE_EXECUTE_READWRITE memory
# VAD tags, MZ headers in unusual locationsRootkit Detection
# SSDT (System Service Descriptor Table) hooks
vol3 -f memory.dmp windows.ssdt
# Driver analysis
vol3 -f memory.dmp windows.modules
vol3 -f memory.dmp windows.driverscan
# Detect hidden processes (DKOM)
vol3 -f memory.dmp windows.psxviewAPI Hooks Detection
# Inline hooks and IAT hooks
vol3 -f memory.dmp windows.apihooksExtracting Suspicious Processes
# Dump process executable
vol3 -f memory.dmp windows.pslist --pid 1234 --dump
# Dump process memory
vol3 -f memory.dmp windows.memmap --pid 1234 --dump
# Dump specific DLL
vol3 -f memory.dmp windows.dumpfiles --pid 1234Credential Extraction
Extracting Windows Credentials
Registry Hives
# List registry hives
vol3 -f memory.dmp windows.registry.hivelist
# Dump SAM hive
vol3 -f memory.dmp windows.registry.hivelist --dump
# Print registry keys
vol3 -f memory.dmp windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"Password Extraction with Mimikatz
# Using hashdump plugin
vol3 -f memory.dmp windows.hashdump
# Look for lsass.exe process for credentials
vol3 -f memory.dmp windows.pslist | grep lsassCached Credentials
# LSA secrets
vol3 -f memory.dmp windows.lsadump
# Cached domain credentials
vol3 -f memory.dmp windows.cachedumpFile and Artifact Recovery
File Extraction
# List files in memory
vol3 -f memory.dmp windows.filescan
# Dump specific file by address
vol3 -f memory.dmp windows.dumpfiles --virtaddr 0x12345678
# Extract files by extension
vol3 -f memory.dmp windows.dumpfiles --pid 1234Browser Artifacts
# Extract clipboard contents
vol3 -f memory.dmp windows.clipboard
# Command history
vol3 -f memory.dmp windows.cmdline
# Console history
vol3 -f memory.dmp windows.consolesTimeline Analysis
# Create timeline of events
vol3 -f memory.dmp windows.timeline
# Analyze user activity
vol3 -f memory.dmp windows.sessions
vol3 -f memory.dmp windows.getservicesidsAdditional Tools
Rekall
Alternative to Volatility with additional features
# Installation
pip install rekall
# Basic usage
rekall -f memory.dmp pslistMemProcFS
Mount memory dumps as a virtual file system
# Mount memory dump
./memprocfs -device memory.dmp -mount /mnt/memory
# Browse as file system
cd /mnt/memory
ls -laBulk Extractor
Extract useful information from memory dumps
# Scan memory for artifacts
bulk_extractor -o output/ memory.dmp
# Find email addresses, URLs, credit cards, etc.
cat output/email.txt
cat output/url.txtPractice Challenges
Beginner Level
-
Process Hunter
Identify suspicious processes -
Network Detective
Find active network connections -
Command Line Secrets
Analyze process command lines
Advanced Level
-
Rootkit Reveal
Detect hidden rootkit activity -
Injection Point
Find process injection artifacts -
Credential Harvest
Extract passwords from memory