memory-forensics

• Working on memory forensics tasks or workflows
• Needing guidance, best practices, or checklists for memory forensics

• The task is unrelated to memory forensics
• You need a different domain or tool outside this scope

• Clarify goals, constraints, and required inputs.
• Apply relevant best practices and validate outcomes.
• Provide actionable steps and verification.
• If detailed examples are required, open resources/implementation-playbook.md.

Live Acquisition Tools

#### Windows

```powershell

# WinPmem (Recommended)

winpmem_mini_x64.exe memory.raw

# DumpIt

DumpIt.exe

# Belkasoft RAM Capturer

# GUI-based, outputs raw format

# Magnet RAM Capture

# GUI-based, outputs raw format

```

#### Linux

```bash

# LiME (Linux Memory Extractor)

sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

# /dev/mem (limited, requires permissions)

sudo dd if=/dev/mem of=memory.raw bs=1M

# /proc/kcore (ELF format)

sudo cp /proc/kcore memory.elf

```

#### macOS

```bash

# osxpmem

sudo ./osxpmem -o memory.raw

# MacQuisition (commercial)

```

Virtual Machine Memory

```bash

# VMware: .vmem file is raw memory

cp vm.vmem memory.raw

# VirtualBox: Use debug console

vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

# QEMU

virsh dump memory.raw --memory-only

# Hyper-V

# Checkpoint contains memory state

```

Installation and Setup

```bash

# Install Volatility 3

pip install volatility3

# Install symbol tables (Windows)

# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

# Basic usage

vol -f memory.raw

# With symbol path

vol -f memory.raw -s /path/to/symbols windows.pslist

```

Essential Plugins

#### Process Analysis

```bash

# List processes

vol -f memory.raw windows.pslist

# Process tree (parent-child relationships)

vol -f memory.raw windows.pstree

# Hidden process detection

vol -f memory.raw windows.psscan

# Process memory dumps

vol -f memory.raw windows.memmap --pid --dump

# Process environment variables

vol -f memory.raw windows.envars --pid

# Command line arguments

vol -f memory.raw windows.cmdline

```

#### Network Analysis

```bash

# Network connections

vol -f memory.raw windows.netscan

# Network connection state

vol -f memory.raw windows.netstat

```

#### DLL and Module Analysis

```bash

# Loaded DLLs per process

vol -f memory.raw windows.dlllist --pid

# Find hidden/injected DLLs

vol -f memory.raw windows.ldrmodules

# Kernel modules

vol -f memory.raw windows.modules

# Module dumps

vol -f memory.raw windows.moddump --pid

```

#### Memory Injection Detection

```bash

# Detect code injection

vol -f memory.raw windows.malfind

# VAD (Virtual Address Descriptor) analysis

vol -f memory.raw windows.vadinfo --pid

# Dump suspicious memory regions

vol -f memory.raw windows.vadyarascan --yara-rules rules.yar

```

#### Registry Analysis

```bash

# List registry hives

vol -f memory.raw windows.registry.hivelist

# Print registry key

vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Dump registry hive

vol -f memory.raw windows.registry.hivescan --dump

```

#### File System Artifacts

```bash

# Scan for file objects

vol -f memory.raw windows.filescan

# Dump files from memory

vol -f memory.raw windows.dumpfiles --pid

# MFT analysis

vol -f memory.raw windows.mftscan

```

Linux Analysis

```bash

# Process listing

vol -f memory.raw linux.pslist

# Process tree

vol -f memory.raw linux.pstree

# Bash history

vol -f memory.raw linux.bash

# Network connections

vol -f memory.raw linux.sockstat

# Loaded kernel modules

vol -f memory.raw linux.lsmod

# Mount points

vol -f memory.raw linux.mount

# Environment variables

vol -f memory.raw linux.envars

```

macOS Analysis

```bash

# Process listing

vol -f memory.raw mac.pslist

# Process tree

vol -f memory.raw mac.pstree

# Network connections

vol -f memory.raw mac.netstat

# Kernel extensions

vol -f memory.raw mac.lsmod

```

Malware Analysis Workflow

```bash

# 1. Initial process survey

vol -f memory.raw windows.pstree > processes.txt

vol -f memory.raw windows.pslist > pslist.txt

# 2. Network connections

vol -f memory.raw windows.netscan > network.txt

# 3. Detect injection

vol -f memory.raw windows.malfind > malfind.txt

# 4. Analyze suspicious processes

vol -f memory.raw windows.dlllist --pid

vol -f memory.raw windows.handles --pid

# 5. Dump suspicious executables

vol -f memory.raw windows.pslist --pid --dump

# 6. Extract strings from dumps

strings -a pid..exe > strings.txt

# 7. YARA scanning

vol -f memory.raw windows.yarascan --yara-rules malware.yar

```

Incident Response Workflow

```bash

# 1. Timeline of events

vol -f memory.raw windows.timeliner > timeline.csv

# 2. User activity

vol -f memory.raw windows.cmdline

vol -f memory.raw windows.consoles

# 3. Persistence mechanisms

vol -f memory.raw windows.registry.printkey \

--key "Software\Microsoft\Windows\CurrentVersion\Run"

# 4. Services

vol -f memory.raw windows.svcscan

# 5. Scheduled tasks

vol -f memory.raw windows.scheduled_tasks

# 6. Recent files

vol -f memory.raw windows.filescan | grep -i "recent"

```

Windows Process Structures

```c

// EPROCESS (Executive Process)

typedef struct _EPROCESS {

KPROCESS Pcb; // Kernel process block

EX_PUSH_LOCK ProcessLock;

LARGE_INTEGER CreateTime;

LARGE_INTEGER ExitTime;

// ...

LIST_ENTRY ActiveProcessLinks; // Doubly-linked list

ULONG_PTR UniqueProcessId; // PID

// ...

PEB* Peb; // Process Environment Block

// ...

} EPROCESS;

// PEB (Process Environment Block)

typedef struct _PEB {

BOOLEAN InheritedAddressSpace;

BOOLEAN ReadImageFileExecOptions;

BOOLEAN BeingDebugged; // Anti-debug check

// ...

PVOID ImageBaseAddress; // Base address of executable

PPEB_LDR_DATA Ldr; // Loader data (DLL list)

PRTL_USER_PROCESS_PARAMETERS ProcessParameters;

// ...

} PEB;

```

VAD (Virtual Address Descriptor)

```c

typedef struct _MMVAD {

MMVAD_SHORT Core;

union {

ULONG LongFlags;

MMVAD_FLAGS VadFlags;

} u;

// ...

PVOID FirstPrototypePte;

PVOID LastContiguousPte;

// ...

PFILE_OBJECT FileObject;

} MMVAD;

// Memory protection flags

#define PAGE_EXECUTE 0x10

#define PAGE_EXECUTE_READ 0x20

#define PAGE_EXECUTE_READWRITE 0x40

#define PAGE_EXECUTE_WRITECOPY 0x80

```

Process Injection Indicators

```python

# Malfind indicators

# - PAGE_EXECUTE_READWRITE protection (suspicious)

# - MZ header in non-image VAD region

# - Shellcode patterns at allocation start

# Common injection techniques

# 1. Classic DLL Injection

# - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

# 2. Process Hollowing

# - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

# 3. APC Injection

# - QueueUserAPC targeting alertable threads

# 4. Thread Execution Hijacking

# - SuspendThread + SetThreadContext + ResumeThread

```

Rootkit Detection

```bash

# Compare process lists

vol -f memory.raw windows.pslist > pslist.txt

vol -f memory.raw windows.psscan > psscan.txt

diff pslist.txt psscan.txt # Hidden processes

# Check for DKOM (Direct Kernel Object Manipulation)

vol -f memory.raw windows.callbacks

# Detect hooked functions

vol -f memory.raw windows.ssdt # System Service Descriptor Table

# Driver analysis

vol -f memory.raw windows.driverscan

vol -f memory.raw windows.driverirp

```

Credential Extraction

```bash

# Dump hashes (requires hivelist first)

vol -f memory.raw windows.hashdump

# LSA secrets

vol -f memory.raw windows.lsadump

# Cached domain credentials

vol -f memory.raw windows.cachedump

# Mimikatz-style extraction

# Requires specific plugins/tools

```

Writing Memory YARA Rules

```yara

rule Suspicious_Injection

{

meta:

description = "Detects common injection shellcode"

strings:

// Common shellcode patterns

$mz = { 4D 5A }

$shellcode1 = { 55 8B EC 83 EC } // Function prologue

$api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } // Push hash, call

condition:

$mz at 0 or any of ($shellcode*)

}

rule Cobalt_Strike_Beacon

{

meta:

description = "Detects Cobalt Strike beacon in memory"

strings:

$config = { 00 01 00 01 00 02 }

$sleep = "sleeptime"

$beacon = "%s (admin)" wide

condition:

2 of them

}

```

Scanning Memory

```bash

# Scan all process memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar

# Scan specific process

vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

# Scan kernel memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel

```

Extracting Strings

```bash

# Basic string extraction

strings -a memory.raw > all_strings.txt

# Unicode strings

strings -el memory.raw >> all_strings.txt

# Targeted extraction from process dump

vol -f memory.raw windows.memmap --pid 1234 --dump

strings -a pid.1234.dmp > process_strings.txt

# Pattern matching

grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt

```

FLOSS for Obfuscated Strings

```bash

# FLOSS extracts obfuscated strings

floss malware.exe > floss_output.txt

# From memory dump

floss pid.1234.dmp

```

Acquisition Best Practices

1. Minimize footprint: Use lightweight acquisition tools
2. Document everything: Record time, tool, and hash of capture
3. Verify integrity: Hash memory dump immediately after capture
4. Chain of custody: Maintain proper forensic handling

Analysis Best Practices

1. Start broad: Get overview before deep diving
2. Cross-reference: Use multiple plugins for same data
3. Timeline correlation: Correlate memory findings with disk/network
4. Document findings: Keep detailed notes and screenshots
5. Validate results: Verify findings through multiple methods

Common Pitfalls

• Stale data: Memory is volatile, analyze promptly
• Incomplete dumps: Verify dump size matches expected RAM
• Symbol issues: Ensure correct symbol files for OS version
• Smear: Memory may change during acquisition
• Encryption: Some data may be encrypted in memory