Memory Forensics

Security Notice

AUTHORIZED USE ONLY: These skills are for DEFENSIVE security analysis and authorized research:

• Incident response with proper authorization

• Forensic investigations in authorized contexts

• Malware analysis for defensive purposes

• CTF competitions and security research

• Educational purposes in controlled environments

NEVER use for:

• Unauthorized system access or surveillance

• Privacy violations

• Intellectual property theft

• Any illegal activities

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

Memory Acquisition

Live Acquisition Tools

Windows

WinPmem (Recommended)

winpmem_mini_x64.exe memory.raw

DumpIt

DumpIt.exe

Belkasoft RAM Capturer

GUI-based, outputs raw format

Magnet RAM Capture

GUI-based, outputs raw format

Linux

LiME (Linux Memory Extractor)

sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

/dev/mem (limited, requires permissions)

sudo dd if=/dev/mem of=memory.raw bs=1M

/proc/kcore (ELF format)

sudo cp /proc/kcore memory.elf

macOS

osxpmem

sudo ./osxpmem -o memory.raw

MacQuisition (commercial)

Virtual Machine Memory

VMware: .vmem file is raw memory

cp vm.vmem memory.raw

VirtualBox: Use debug console

vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

QEMU

virsh dump <domain> memory.raw --memory-only

Hyper-V

Checkpoint contains memory state

Volatility 3 Framework

Installation and Setup

Install Volatility 3

pip install volatility3

Install symbol tables (Windows)

Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

Basic usage

vol -f memory.raw <plugin>

With symbol path

vol -f memory.raw -s /path/to/symbols windows.pslist

Essential Plugins

Process Analysis

List processes

vol -f memory.raw windows.pslist

Process tree (parent-child relationships)

vol -f memory.raw windows.pstree

Hidden process detection

vol -f memory.raw windows.psscan

Process memory dumps

vol -f memory.raw windows.memmap --pid <PID> --dump

Process environment variables

vol -f memory.raw windows.envars --pid <PID>

Command line arguments

vol -f memory.raw windows.cmdline

Network Analysis

Network connections

vol -f memory.raw windows.netscan

Network connection state

vol -f memory.raw windows.netstat

DLL and Module Analysis

Loaded DLLs per process

vol -f memory.raw windows.dlllist --pid <PID>

Find hidden/injected DLLs

vol -f memory.raw windows.ldrmodules

Kernel modules

vol -f memory.raw windows.modules

Module dumps

vol -f memory.raw windows.moddump --pid <PID>

Memory Injection Detection

Detect code injection

vol -f memory.raw windows.malfind

VAD (Virtual Address Descriptor) analysis

vol -f memory.raw windows.vadinfo --pid <PID>

Dump suspicious memory regions

vol -f memory.raw windows.vadyarascan --yara-rules rules.yar

Registry Analysis

List registry hives

vol -f memory.raw windows.registry.hivelist

Print registry key

vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

Dump registry hive

vol -f memory.raw windows.registry.hivescan --dump

File System Artifacts

Scan for file objects

vol -f memory.raw windows.filescan

Dump files from memory

vol -f memory.raw windows.dumpfiles --pid <PID>

MFT analysis

vol -f memory.raw windows.mftscan

Linux Analysis

Process listing

vol -f memory.raw linux.pslist

Process tree

vol -f memory.raw linux.pstree

Bash history

vol -f memory.raw linux.bash

Network connections

vol -f memory.raw linux.sockstat

Loaded kernel modules

vol -f memory.raw linux.lsmod

Mount points

vol -f memory.raw linux.mount

Environment variables

vol -f memory.raw linux.envars

macOS Analysis

Process listing

vol -f memory.raw mac.pslist

Process tree

vol -f memory.raw mac.pstree

Network connections

vol -f memory.raw mac.netstat

Kernel extensions

vol -f memory.raw mac.lsmod

Analysis Workflows

Malware Analysis Workflow

1. Initial process survey

vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt

2. Network connections

vol -f memory.raw windows.netscan > network.txt

3. Detect injection

vol -f memory.raw windows.malfind > malfind.txt

4. Analyze suspicious processes

vol -f memory.raw windows.dlllist --pid <PID> vol -f memory.raw windows.handles --pid <PID>

5. Dump suspicious executables

vol -f memory.raw windows.pslist --pid <PID> --dump

6. Extract strings from dumps

strings -a pid.<PID>.exe > strings.txt

7. YARA scanning

vol -f memory.raw windows.yarascan --yara-rules malware.yar

Incident Response Workflow

1. Timeline of events

vol -f memory.raw windows.timeliner > timeline.csv

2. User activity

vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles

3. Persistence mechanisms

vol -f memory.raw windows.registry.printkey
--key "Software\Microsoft\Windows\CurrentVersion\Run"

4. Services

vol -f memory.raw windows.svcscan

5. Scheduled tasks

vol -f memory.raw windows.scheduled_tasks

6. Recent files

vol -f memory.raw windows.filescan | grep -i "recent"

Data Structures

Windows Process Structures

// EPROCESS (Executive Process) typedef struct _EPROCESS { KPROCESS Pcb; // Kernel process block EX_PUSH_LOCK ProcessLock; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; // ... LIST_ENTRY ActiveProcessLinks; // Doubly-linked list ULONG_PTR UniqueProcessId; // PID // ... PEB* Peb; // Process Environment Block // ... } EPROCESS;

// PEB (Process Environment Block) typedef struct _PEB { BOOLEAN InheritedAddressSpace; BOOLEAN ReadImageFileExecOptions; BOOLEAN BeingDebugged; // Anti-debug check // ... PVOID ImageBaseAddress; // Base address of executable PPEB_LDR_DATA Ldr; // Loader data (DLL list) PRTL_USER_PROCESS_PARAMETERS ProcessParameters; // ... } PEB;

VAD (Virtual Address Descriptor)

typedef struct _MMVAD { MMVAD_SHORT Core; union { ULONG LongFlags; MMVAD_FLAGS VadFlags; } u; // ... PVOID FirstPrototypePte; PVOID LastContiguousPte; // ... PFILE_OBJECT FileObject; } MMVAD;

// Memory protection flags #define PAGE_EXECUTE 0x10 #define PAGE_EXECUTE_READ 0x20 #define PAGE_EXECUTE_READWRITE 0x40 #define PAGE_EXECUTE_WRITECOPY 0x80

Detection Patterns

Process Injection Indicators

Malfind indicators

- PAGE_EXECUTE_READWRITE protection (suspicious)

- MZ header in non-image VAD region

- Shellcode patterns at allocation start

Common injection techniques

1. Classic DLL Injection

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

2. Process Hollowing

- CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

3. APC Injection

- QueueUserAPC targeting alertable threads

4. Thread Execution Hijacking

- SuspendThread + SetThreadContext + ResumeThread

Rootkit Detection

Compare process lists

vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # Hidden processes

Check for DKOM (Direct Kernel Object Manipulation)

vol -f memory.raw windows.callbacks

Detect hooked functions

vol -f memory.raw windows.ssdt # System Service Descriptor Table

Driver analysis

vol -f memory.raw windows.driverscan vol -f memory.raw windows.driverirp

Credential Extraction

Dump hashes (requires hivelist first)

vol -f memory.raw windows.hashdump

LSA secrets

vol -f memory.raw windows.lsadump

Cached domain credentials

vol -f memory.raw windows.cachedump

Mimikatz-style extraction

Requires specific plugins/tools

YARA Integration

Writing Memory YARA Rules

rule Suspicious_Injection { meta: description = "Detects common injection shellcode"

strings:
    // Common shellcode patterns
    $mz = { 4D 5A }
    $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
    $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

condition:
    $mz at 0 or any of ($shellcode*)

}

rule Cobalt_Strike_Beacon { meta: description = "Detects Cobalt Strike beacon in memory"

strings:
    $config = { 00 01 00 01 00 02 }
    $sleep = "sleeptime"
    $beacon = "%s (admin)" wide

condition:
    2 of them

}

Scanning Memory

Scan all process memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar

Scan specific process

vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

Scan kernel memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel

String Analysis

Extracting Strings

Basic string extraction

strings -a memory.raw > all_strings.txt

Unicode strings

strings -el memory.raw >> all_strings.txt

Targeted extraction from process dump

vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt

Pattern matching

grep -E "(https?://|[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" all_strings.txt

FLOSS for Obfuscated Strings

FLOSS extracts obfuscated strings

floss malware.exe > floss_output.txt

From memory dump

floss pid.1234.dmp

Best Practices

Acquisition Best Practices

• Minimize footprint: Use lightweight acquisition tools

• Document everything: Record time, tool, and hash of capture

• Verify integrity: Hash memory dump immediately after capture

• Chain of custody: Maintain proper forensic handling

Analysis Best Practices

• Start broad: Get overview before deep diving

• Cross-reference: Use multiple plugins for same data

• Timeline correlation: Correlate memory findings with disk/network

• Document findings: Keep detailed notes and screenshots

• Validate results: Verify findings through multiple methods

Common Pitfalls

• Stale data: Memory is volatile, analyze promptly

• Incomplete dumps: Verify dump size matches expected RAM

• Symbol issues: Ensure correct symbol files for OS version

• Smear: Memory may change during acquisition

• Encryption: Some data may be encrypted in memory

Iron Laws

• ALWAYS hash the memory dump immediately after acquisition — memory is volatile and can be challenged in court without a cryptographic integrity record proving the dump was not modified post-capture.

• NEVER analyze from the live system that produced the dump — writing analysis tool artifacts to the suspect system contaminates volatile evidence and invalidates forensic chain of custody.

• ALWAYS verify the OS profile before running plugins — wrong profile produces silently incorrect results; vol -f memory.raw windows.info must confirm OS version before any plugin output is trusted.

• NEVER use a single plugin to confirm a finding — pslist misses DKOM-hidden processes; cross-validate with psscan and pstree before reporting any process as hidden.

• ALWAYS work from a forensic copy, never the original dump — all analysis writes output files to the working directory; working on the original risks accidental modification of the evidence artifact.

Anti-Patterns

Anti-Pattern Why It Fails Correct Approach

Skipping acquisition hash Dump integrity cannot be proven in court or peer review; challenges invalidate all findings Hash immediately: sha256sum memory.raw > memory.raw.sha256 before any analysis

Wrong OS profile Incorrect offsets produce garbage output with no error — findings appear valid but are fabricated Run vol -f memory.raw windows.info first; confirm OS version and build before other plugins

Analyzing on the live suspect system Tool artifacts contaminate volatile evidence; file timestamps change; live-response tools modify RAM state Acquire dump, transfer to isolated analysis workstation, analyze the copy only

Trusting a single plugin DKOM rootkits hide from pslist linked-list traversal but appear in psscan pool scan Cross-validate process lists with at least pslist , psscan , and pstree before reporting

Missing timeline correlation Memory artifacts without disk/network context cannot establish causality or attacker timeline Correlate memory findings with event logs and PCAP before writing the incident report

Memory Protocol (MANDATORY)

Before starting: Read .claude/context/memory/learnings.md

After completing:

• New pattern -> .claude/context/memory/learnings.md

• Issue found -> .claude/context/memory/issues.md

• Decision made -> .claude/context/memory/decisions.md

ASSUME INTERRUPTION: If it's not in memory, it didn't happen.