Chapter 1 โ Why Memory Forensics?
Disk forensics misses everything that is running: decrypted malware payloads, injected shellcode, in-memory credentials, active network connections, and processes that hide from the filesystem. Memory forensics catches attackers in the act โ and volatile evidence disappears the moment the machine reboots.
Chapter 2 โ Memory Acquisition
# Windows โ WinPmem
winpmem_mini.exe memory.raw
# Windows โ DumpIt
DumpIt.exe /O memory.dmp
# Linux โ LiME (Loadable Kernel Module)
insmod lime.ko "path=/tmp/memory.lime format=lime"
# VM snapshot โ VMware: suspend VM, then use .vmem file in VM directory
Chapter 3 โ Volatility 3 Framework
# Install
pip3 install volatility3
# Identify OS
vol -f memory.raw windows.info
# Plugin usage pattern
vol -f memory.raw PLUGIN [options]
Chapter 4 โ Process Analysis
# List all processes
vol -f mem.raw windows.pslist
vol -f mem.raw windows.pstree # parent-child view
# Find hidden processes (rootkit detection)
vol -f mem.raw windows.psscan # scans physical memory for EPROCESS structs
# Dump process executable
vol -f mem.raw windows.dumpfiles --pid 1234
# Check command line args
vol -f mem.raw windows.cmdline
Chapter 5 โ Network Connections
# Active and recently closed connections
vol -f mem.raw windows.netstat
vol -f mem.raw windows.netscan
# Look for: unusual outbound connections, beaconing patterns, non-standard ports
Chapter 6 โ Detecting Code Injection
# Find injected code (VAD anomalies)
vol -f mem.raw windows.malfind
# Malfind looks for: RWX memory regions, PE headers in unexpected places
# Dump suspicious region
vol -f mem.raw windows.malfind --dump
Chapter 7 โ Rootkits & Anti-Forensics
Rootkits hide processes by unlinking EPROCESS from the ActiveProcessLinks list โ pslist misses them but psscan finds them by scanning raw memory. DKOM (Direct Kernel Object Manipulation) is the most common technique.
# Compare pslist vs psscan โ discrepancy = hidden process
vol -f mem.raw windows.pslist > pslist.txt
vol -f mem.raw windows.psscan > psscan.txt
diff pslist.txt psscan.txt
Chapter 8 โ Malware Analysis in Memory
# Extract strings from a suspicious process
vol -f mem.raw windows.strings --pid 4512
# Check loaded DLLs
vol -f mem.raw windows.dlllist --pid 4512
# Extract registry hives loaded in memory
vol -f mem.raw windows.registry.hivelist
vol -f mem.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.