Memory Forensics

RAM analysis, Volatility framework, malware detection, and memory artifacts.

Overview

Memory forensics analyzes RAM dumps for evidence.

Volatility Framework

# List processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist

# Process tree
volatility -f memory.dmp --profile=Win7SP1x64 pstree

# Network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan

# Extract files
volatility -f memory.dmp --profile=Win7SP1x64 filescan
volatility -f memory.dmp --profile=Win7SP1x64 dumpfiles -Q 0xXXXXXXXX

Memory Artifacts

Artifact	Location
Processes	EPROCESS structures
Network	Socket objects
Registry	Hive files
DLLs	Loaded modules
Handles	Object tables

Malware Detection

# Suspicious process detection
def detect_suspicious(processes):
    suspicious = []
    for proc in processes:
        # Check for injection
        if proc.memory_regions != proc.module_list:
            suspicious.append(proc)
        
        # Check for hooks
        if has_api_hooks(proc):
            suspicious.append(proc)
    
    return suspicious

Memory Acquisition

# Windows
winpmem_mini_x64.exe memory.raw

# Linux
sudo dd if=/dev/mem of=memory.raw

# macOS
sudo osxpmem.app memory.raw

Analysis Checklist

## Memory Analysis Checklist
- [ ] Identify suspicious processes
- [ ] Check network connections
- [ ] Extract injected code
- [ ] Analyze handles
- [ ] Check registry keys
- [ ] Look for encryption keys

Practice

Analyze a memory dump using Volatility to find malicious activity.

Memory Forensics

Memory Forensics

Overview

Volatility Framework

Memory Artifacts

Malware Detection

Memory Acquisition

Analysis Checklist

Practice

Need Expert Cybersecurity Help?