- SKILL: Memory Forensics — Expert Analysis Playbook
- AI LOAD INSTRUCTION
- Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis. 0. RELATED ROUTING Before going deep, consider loading: traffic-analysis-pcap for correlating network artifacts with memory findings steganography-techniques if hidden data suspected in extracted files windows-privilege-escalation for understanding post-exploitation artifacts in memory Quick Reference Also load VOLATILITY_CHEATSHEET.md when you need: Vol2 vs Vol3 command comparison table Common plugin sequences for specific investigation types 1. MEMORY ACQUISITION Linux
LiME (Linux Memory Extractor) — kernel module
insmod lime.ko "path=/tmp/mem.lime format=lime"
/proc/kcore (if available)
dd if = /proc/kcore of = /tmp/mem.raw bs = 1M
AVML (Microsoft's open-source)
./avml /tmp/mem.lime Windows
WinPmem
winpmem_mini_x64.exe memdump.raw
FTK Imager (GUI) — capture memory to file
DumpIt (single-click memory dump)
DumpIt.exe
Comae (MagnetRAM)
MagnetRAMCapture.exe /output memdump.raw Virtual Machines
VMware: .vmem file in VM directory (suspend VM first)
VirtualBox: VBoxManage debugvm "VM_NAME" dumpvmcore --filename mem.raw
KVM/QEMU: virsh dump DOMAIN memdump --memory-only
Hyper-V: checkpoint VM → inspect .bin files
- VOLATILITY 2 vs 3 Concept Volatility 2 Volatility 3 Profile system --profile=Win10x64_19041 Auto-detected (symbol tables) Image info imageinfo windows.info / linux.info Process list pslist windows.pslist Network netscan / connections windows.netscan / windows.netstat DLLs dlllist windows.dlllist Injection malfind windows.malfind Hashes hashdump windows.hashdump Files filescan windows.filescan Registry hivelist / printkey windows.registry.hivelist / windows.registry.printkey Install pip2 install volatility pip3 install volatility3
- ANALYSIS METHODOLOGY Step 1: Identify OS
Vol2
vol.py -f mem.raw imageinfo vol.py -f mem.raw kdbgscan
Vol3
vol -f mem.raw windows.info vol -f mem.raw banners.Banners Step 2: Process Listing — Hidden Process Detection
Vol2
vol.py -f mem.raw --profile = PROFILE pslist
EPROCESS linked list
vol.py -f mem.raw --profile = PROFILE psscan
pool tag scan (finds unlinked)
vol.py -f mem.raw --profile = PROFILE pstree
parent-child hierarchy
Vol3
- vol
- -f
- mem.raw windows.pslist
- vol
- -f
- mem.raw windows.psscan
- vol
- -f
- mem.raw windows.pstree
- Red flags
- Process in psscan but not pslist = DKOM (Direct Kernel Object Manipulation) hiding. Step 3: Network Connections
Vol2
vol.py -f mem.raw --profile = PROFILE netscan
TCP/UDP endpoints
vol.py -f mem.raw --profile = PROFILE connections
XP/2003 only
vol.py -f mem.raw --profile = PROFILE connscan
closed connections
Vol3
vol -f mem.raw windows.netscan vol -f mem.raw windows.netstat Step 4: DLL / Module Analysis
Vol2
vol.py -f mem.raw --profile = PROFILE dlllist -p PID vol.py -f mem.raw --profile = PROFILE ldrmodules -p PID
find unlinked DLLs
Vol3
- vol
- -f
- mem.raw windows.dlllist
- --pid
- PID
- Red flags
- DLL in dlllist but False in all three ldrmodules columns = reflective DLL injection. Step 5: Code Injection Detection (Malfind)
Vol2
vol.py -f mem.raw --profile = PROFILE malfind -p PID vol.py -f mem.raw --profile = PROFILE malfind -D /tmp/dump/
dump injected sections
Vol3
- vol
- -f
- mem.raw windows.malfind
- --pid
- PID
- What malfind detects
- Memory regions with PAGE_EXECUTE_READWRITE that don't map to a file on disk — classic shellcode/injection indicator. Step 6: Credential Extraction
Vol2
vol.py -f mem.raw --profile = PROFILE hashdump
SAM hashes
vol.py -f mem.raw --profile = PROFILE lsadump
LSA secrets
vol.py -f mem.raw --profile = PROFILE cachedump
domain cached creds
vol.py -f mem.raw --profile = PROFILE mimikatz
(plugin) plaintext creds
Vol3
vol -f mem.raw windows.hashdump vol -f mem.raw windows.lsadump vol -f mem.raw windows.cachedump Step 7: File Extraction
Vol2
vol.py -f mem.raw --profile = PROFILE filescan | grep -i "password|secret|flag" vol.py -f mem.raw --profile = PROFILE dumpfiles -Q OFFSET -D /tmp/dump/
Vol3
vol -f mem.raw windows.filescan vol -f mem.raw windows.dumpfiles --virtaddr OFFSET Step 8: Registry Analysis
Vol2
vol.py -f mem.raw --profile = PROFILE hivelist vol.py -f mem.raw --profile = PROFILE printkey -K "Software\Microsoft\Windows\CurrentVersion\Run" vol.py -f mem.raw --profile = PROFILE userassist
program execution evidence
Vol3
vol -f mem.raw windows.registry.hivelist vol -f mem.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run" Step 9: Command History
Vol2
vol.py -f mem.raw --profile = PROFILE cmdscan
cmd.exe history
vol.py -f mem.raw --profile = PROFILE consoles
full console output
Vol3
vol -f mem.raw windows.cmdline Step 10: Timeline Generation
Vol2
vol.py -f mem.raw --profile = PROFILE timeliner --output = body --output-file = timeline.body mactime -b timeline.body -d
timeline.csv
Vol3
vol -f mem.raw timeliner.Timeliner 4. LINUX MEMORY ANALYSIS
Vol2 (requires Linux profile)
vol.py -f mem.lime --profile = LinuxProfile linux_pslist vol.py -f mem.lime --profile = LinuxProfile linux_pstree vol.py -f mem.lime --profile = LinuxProfile linux_netstat vol.py -f mem.lime --profile = LinuxProfile linux_bash
bash history
vol.py -f mem.lime --profile = LinuxProfile linux_enumerate_files vol.py -f mem.lime --profile = LinuxProfile linux_proc_maps -p PID vol.py -f mem.lime --profile = LinuxProfile linux_malfind
Vol3
vol -f mem.lime linux.pslist vol -f mem.lime linux.pstree vol -f mem.lime linux.bash vol -f mem.lime linux.check_afinfo
rootkit detection
vol -f mem.lime linux.check_syscall
syscall hooking
vol -f mem.lime linux.tty_check
TTY hooking
Building Linux Profiles (Vol2) cd volatility/tools/linux make
Creates module.dwarf + System.map → zip as profile
zip LinuxProfile.zip module.dwarf /boot/System.map- $( uname -r )
Place in volatility/plugins/overlays/linux/
- MALWARE INDICATORS IN MEMORY Indicator Detection Method What It Means Process in psscan but not pslist Compare pslist vs psscan DKOM — process hiding Unexpected parent-child pstree analysis e.g., svchost spawned by cmd.exe MZ header in non-image memory malfind Reflective DLL / PE injection RWX memory without backing file malfind Shellcode injection DLL unlinked from all PEB lists ldrmodules (all False) Stealth DLL loading svchost.exe not child of services.exe pstree Fake svchost (malware) Unusual network connections netscan + PID correlation C2 communication Hooking in SSDT/IDT ssdt / idt plugins Rootkit Modified kernel objects linux_check_syscall Linux rootkit Normal Parent-Child Relationships (Windows) System (4) └── smss.exe └── csrss.exe └── wininit.exe └── services.exe └── svchost.exe (multiple) └── spoolsv.exe └── lsass.exe └── winlogon.exe └── explorer.exe └── user applications
- DECISION TREE Memory dump acquired — need to analyze │ ├── What OS? │ ├── Windows → vol imageinfo / windows.info (§3 Step 1) │ └── Linux → build profile or use Vol3 auto-detect (§4) │ ├── Malware investigation? │ ├── Check processes: pslist vs psscan (hidden?) (§3 Step 2) │ ├── Check parent-child: pstree (suspicious spawning?) (§5) │ ├── Check injections: malfind (RWX memory?) (§3 Step 5) │ ├── Check DLLs: ldrmodules (unlinked?) (§3 Step 4) │ ├── Check network: netscan (C2 connections?) (§3 Step 3) │ └── Extract suspicious files: dumpfiles (§3 Step 7) │ ├── Credential recovery? │ ├── SAM hashes → hashdump (§3 Step 6) │ ├── LSA secrets → lsadump (§3 Step 6) │ ├── Cached domain creds → cachedump (§3 Step 6) │ └── Plaintext passwords → mimikatz plugin (§3 Step 6) │ ├── Incident timeline? │ ├── timeliner for comprehensive timeline (§3 Step 10) │ ├── cmdscan / consoles for command history (§3 Step 9) │ ├── userassist for program execution (§3 Step 8) │ └── Cross-reference with PCAP timeline (→ traffic-analysis-pcap) │ ├── CTF / flag hunting? │ ├── filescan + grep for flag patterns (§3 Step 7) │ ├── cmdscan for typed flags/passwords (§3 Step 9) │ ├── Clipboard: clipboard plugin │ ├── Screenshots: screenshot plugin │ └── Environment vars: envars plugin │ └── Linux-specific? ├── linux_bash for shell history (§4) ├── linux_check_syscall for rootkit (§4) └── linux_netstat for connections (§4)