Memory Forensics

advanced50 minWriteup

Analyzing memory dumps with Volatility

Learning Objectives

  • Use Volatility framework
  • Extract processes and files
  • Find credentials in memory
  • Analyze malware artifacts

Memory forensics analyzes RAM dumps to find running processes, open network connections, typed commands, passwords, and malware. RAM contains volatile data that disappears on shutdown - it's a goldmine of forensic evidence!

Memory forensics is advanced but incredibly powerful. You can find encryption keys, running malware, and data that never touched disk! Volatility is the industry-standard tool.

Volatility Framework

bash
1606070;"># Volatility - The memory forensics framework
2606070;"># Two versions: Volatility 2 (Python 2) and Volatility 3 (Python 3)
3 
4606070;"># Install Volatility 3
5pip3 install volatility3
6 
7606070;"># Or clone from GitHub
8git clone https:606070;">//github.com/volatilityfoundation/volatility3
9cd volatility3
10pip3 install -r requirements.txt
11 
12606070;"># Run Volatility 3
13python3 vol.py -f memory.dmp <plugin>
14 
15606070;"># Volatility 2 (legacy, more plugins)
16python2 vol.py -f memory.dmp --profile=<profile> <plugin>

Vol2 vs Vol3

Volatility 3 has better Windows 10 support and doesn't need profiles. Volatility 2 has more community plugins. Know both!

Identifying the Profile

bash
1606070;"># Volatility 3 - Auto-detects OS (no profile needed!)
2python3 vol.py -f memory.dmp windows.info
3 
4606070;"># Volatility 2 - Must specify profile
5606070;"># First, identify the OS
6python2 vol.py -f memory.dmp imageinfo
7606070;"># Output suggests profiles like Win7SP1x64, WinXPSP3x86, etc.
8 
9606070;"># Use suggested profile
10python2 vol.py -f memory.dmp --profile=Win7SP1x64 pslist
11 
12606070;"># Common profiles:
13606070;"># - Win7SP1x64 (Windows 7 64-bit)
14606070;"># - Win10x64_19041 (Windows 10)
15606070;"># - LinuxUbuntu_4.15.0-generic (Linux)
16 
17606070;"># If imageinfo fails, try kdbgscan
18python2 vol.py -f memory.dmp kdbgscan

Process Analysis

bash
1606070;"># Volatility 3 syntax
2 
3606070;"># List processes
4python3 vol.py -f memory.dmp windows.pslist
5python3 vol.py -f memory.dmp windows.psscan  606070;"># Finds hidden processes too
6 
7606070;"># Process tree (parent-child relationships)
8python3 vol.py -f memory.dmp windows.pstree
9 
10606070;"># Command line arguments
11python3 vol.py -f memory.dmp windows.cmdline
12 
13606070;"># DLLs loaded by process
14python3 vol.py -f memory.dmp windows.dlllist --pid 1234
15 
16606070;"># Handles (files, registry, etc.)
17python3 vol.py -f memory.dmp windows.handles --pid 1234
18 
19606070;"># What to look for:
20606070;"># - Suspicious process names (mimikatz, pwdump, nc.exe)
21606070;"># - Processes with unusual parent (cmd.exe spawned by browser?)
22606070;"># - Multiple instances of svchost.exe with wrong parent
23606070;"># - Processes without names or paths

Network Connections

bash
1606070;"># Active network connections
2python3 vol.py -f memory.dmp windows.netstat
3606070;"># Or (Volatility 2)
4python2 vol.py -f memory.dmp --profile=Win7SP1x64 netscan
5 
6606070;"># Shows:
7606070;"># - Local and remote IPs
8606070;"># - Ports
9606070;"># - Process ID
10606070;"># - Connection state
11 
12606070;"># Look for:
13606070;"># - Connections to suspicious IPs
14606070;"># - Unusual ports (not 80, 443)
15606070;"># - Processes that shouldn't have network access

File Analysis

bash
1606070;"># List files in memory
2python3 vol.py -f memory.dmp windows.filescan
3 
4606070;"># Filter by name
5python3 vol.py -f memory.dmp windows.filescan | grep -i 606070;">#a5d6ff;">"flag"
6python3 vol.py -f memory.dmp windows.filescan | grep -i 606070;">#a5d6ff;">"password"
7 
8606070;"># Dump specific file
9python3 vol.py -f memory.dmp windows.dumpfiles --physaddr 0x12345678
10 
11606070;"># Dump all files
12python3 vol.py -f memory.dmp windows.dumpfiles --output-dir dumped_files/
13 
14606070;"># Look for:
15606070;"># - Documents (docx, pdf, txt)
16606070;"># - Configs (ini, conf, xml)
17606070;"># - Databases (db, sqlite)
18606070;"># - Images (jpg, png)

Registry Analysis

bash
1606070;"># Print registry keys
2python3 vol.py -f memory.dmp windows.registry.printkey
3 
4606070;"># Specific hive
5python3 vol.py -f memory.dmp windows.registry.printkey --key 606070;">#a5d6ff;">"Software\Microsoft\Windows\CurrentVersion\Run"
6 
7606070;"># Dump registry hives
8python3 vol.py -f memory.dmp windows.registry.hivelist
9python3 vol.py -f memory.dmp windows.registry.hivescan
10 
11606070;"># Interesting registry locations:
12606070;"># - Run/RunOnce (persistence)
13606070;"># - Recently opened files
14606070;"># - User SIDs
15606070;"># - Network configurations

Credential Extraction

bash
1606070;"># Hash extraction (Volatility 2)
2python2 vol.py -f memory.dmp --profile=Win7SP1x64 hashdump
3 
4606070;"># Cached credentials
5python2 vol.py -f memory.dmp --profile=Win7SP1x64 cachedump
6 
7606070;"># LSA secrets
8python2 vol.py -f memory.dmp --profile=Win7SP1x64 lsadump
9 
10606070;"># Mimikatz-style credential extraction
11python3 vol.py -f memory.dmp windows.lsadump
12 
13606070;"># Memory contains plaintext passwords if:
14606070;"># - WDigest authentication enabled
15606070;"># - Process storing credentials in memory
16606070;"># - User recently typed password
Finding credentials in memory dumps is extremely common in CTFs. Always run hashdump and check for plaintext passwords!

Strings and Grep

bash
1606070;"># Quick string search (sometimes faster than Volatility!)
2strings memory.dmp | grep -i 606070;">#a5d6ff;">"flag"
3strings memory.dmp | grep -i 606070;">#a5d6ff;">"password"
4strings memory.dmp | grep -E 606070;">#a5d6ff;">"[A-Za-z]+\{[^}]+\}"
5 
6606070;"># UTF-16 strings (Windows)
7strings -e l memory.dmp | grep -i 606070;">#a5d6ff;">"password"
8 
9606070;"># Combine with context
10strings memory.dmp | grep -A2 -B2 606070;">#a5d6ff;">"password"
11 
12606070;"># Search for specific patterns
13strings memory.dmp | grep -E 606070;">#a5d6ff;">"[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+"  # Emails
14strings memory.dmp | grep -E 606070;">#a5d6ff;">"https?://"  # URLs

Memory Forensics Checklist

1□ Identify OS profile (Vol3 auto-detects)
2□ strings + grep for quick flag search
3□ pslist/psscan - List processes
4□ cmdline - Command line arguments
5□ netscan/netstat - Network connections
6□ filescan - Files in memory
7□ hashdump - Extract password hashes
8□ dumpfiles - Extract interesting files
9□ envars - Environment variables (credentials?)
10□ clipboard - Copied data
11□ consoles - Console input/output history

Knowledge Check

Quick Quiz
Question 1 of 2

Why is memory forensics valuable?

Key Takeaways

  • Volatility 3 is preferred (Python 3, auto-profiles)
  • Quick win: strings + grep before running plugins
  • Always check: pslist, cmdline, netscan, hashdump
  • Dump files and check for credentials
  • Memory contains data that never touched disk
  • Process trees reveal malicious parent-child relationships