Chapter 1 โ€” Why Memory Forensics?

Disk forensics misses everything that is running: decrypted malware payloads, injected shellcode, in-memory credentials, active network connections, and processes that hide from the filesystem. Memory forensics catches attackers in the act โ€” and volatile evidence disappears the moment the machine reboots.

Chapter 2 โ€” Memory Acquisition

# Windows โ€” WinPmem
winpmem_mini.exe memory.raw

# Windows โ€” DumpIt
DumpIt.exe /O memory.dmp

# Linux โ€” LiME (Loadable Kernel Module)
insmod lime.ko "path=/tmp/memory.lime format=lime"

# VM snapshot โ€” VMware: suspend VM, then use .vmem file in VM directory

Chapter 3 โ€” Volatility 3 Framework

# Install
pip3 install volatility3

# Identify OS
vol -f memory.raw windows.info

# Plugin usage pattern
vol -f memory.raw PLUGIN [options]

Chapter 4 โ€” Process Analysis

# List all processes
vol -f mem.raw windows.pslist
vol -f mem.raw windows.pstree  # parent-child view

# Find hidden processes (rootkit detection)
vol -f mem.raw windows.psscan  # scans physical memory for EPROCESS structs

# Dump process executable
vol -f mem.raw windows.dumpfiles --pid 1234

# Check command line args
vol -f mem.raw windows.cmdline

Chapter 5 โ€” Network Connections

# Active and recently closed connections
vol -f mem.raw windows.netstat
vol -f mem.raw windows.netscan

# Look for: unusual outbound connections, beaconing patterns, non-standard ports

Chapter 6 โ€” Detecting Code Injection

# Find injected code (VAD anomalies)
vol -f mem.raw windows.malfind

# Malfind looks for: RWX memory regions, PE headers in unexpected places
# Dump suspicious region
vol -f mem.raw windows.malfind --dump

Chapter 7 โ€” Rootkits & Anti-Forensics

Rootkits hide processes by unlinking EPROCESS from the ActiveProcessLinks list โ€” pslist misses them but psscan finds them by scanning raw memory. DKOM (Direct Kernel Object Manipulation) is the most common technique.

# Compare pslist vs psscan โ€” discrepancy = hidden process
vol -f mem.raw windows.pslist > pslist.txt
vol -f mem.raw windows.psscan > psscan.txt
diff pslist.txt psscan.txt

Chapter 8 โ€” Malware Analysis in Memory

# Extract strings from a suspicious process
vol -f mem.raw windows.strings --pid 4512

# Check loaded DLLs
vol -f mem.raw windows.dlllist --pid 4512

# Extract registry hives loaded in memory
vol -f mem.raw windows.registry.hivelist
vol -f mem.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
โœ…
Workbook complete! You've covered all chapters. Mark it complete below and continue your learning path.
โ† All Workbooks
๐Ÿ“–
Sign in to track progress