incident response

Conducting Memory Forensics with Volatility

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

dfirmemory-forensicsprocess-injectionram-analysisvolatility
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • An endpoint has been contained during an active incident and volatile evidence must be preserved
  • EDR alerts suggest process injection or fileless malware that only exists in memory
  • Encryption keys need to be recovered from a ransomware-infected system before shutdown
  • Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
  • A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient

Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.

Prerequisites

  • Memory acquisition tool deployed or available: WinPmem, Magnet RAM Capture, DumpIt, or AVML (Linux)
  • Volatility 3 installed with Python 3.8+ and required symbol tables
  • Sufficient storage for memory dumps (equal to system RAM size, typically 8-64 GB)
  • YARA rules for malware detection in memory (Florian Roth's signature-base, custom rules)
  • Reference baseline of normal processes and DLLs for the OS version being analyzed
  • Chain of custody documentation for evidence handling

Workflow

Step 1: Acquire Memory Image

Capture RAM from the target system using a forensically sound method:

Windows (WinPmem):

winpmem_mini_x64.exe output.raw

Windows (Magnet RAM Capture):

MagnetRAMCapture.exe
# GUI-based, select output path, generates .raw file

Windows (DumpIt):

DumpIt.exe
# Creates memory dump in current directory automatically

Linux (AVML - Acquire Volatile Memory for Linux):

./avml output.lime

Document acquisition metadata:

Acquisition Record:
━━━━━━━━━━━━━━━━━
Target Host:      WKSTN-042
RAM Size:         16 GB
Dump File:        WKSTN-042_20251115_1445.raw
Dump Size:        16,843,612,160 bytes
SHA-256:          a4b3c2d1e5f6...
Acquisition Tool: WinPmem 4.0
Acquired By:      [Analyst Name]
Timestamp:        2025-11-15T14:45:00Z

Step 2: Identify the Operating System and Profile

Volatility 3 automatically identifies the OS, but verify:

# Get system information
vol -f WKSTN-042_20251115_1445.raw windows.info
 
# Output includes:
# OS: Windows 10 22H2 (Build 19045.3693)
# Kernel Base: 0xf8066c200000
# DTB: 0x1aa000
# Symbols: ntkrnlmp.pdb

Step 3: Analyze Running Processes

Examine the process tree for suspicious activity:

# List all running processes
vol -f memory.raw windows.pslist
 
# Show process tree (parent-child relationships)
vol -f memory.raw windows.pstree
 
# Scan for hidden/unlinked processes (rootkit detection)
vol -f memory.raw windows.psscan
 
# Compare pslist vs psscan to find hidden processes
# Processes in psscan but NOT in pslist may be hidden by rootkits

Key indicators of compromise in process analysis:

  • svchost.exe running without -k parameter or with wrong parent (should be services.exe)
  • csrss.exe or lsass.exe with abnormal parent process
  • Processes with misspelled names (scvhost.exe, lssas.exe)
  • Unusual processes spawned by outlook.exe, winword.exe, or excel.exe
  • Multiple instances of processes that should be singletons (lsass.exe, smss.exe)

Step 4: Investigate Network Connections

Extract active and recently closed network connections:

# List all network connections
vol -f memory.raw windows.netscan
 
# Focus output fields:
# Offset    Proto  LocalAddr     LocalPort  ForeignAddr    ForeignPort  State     PID  Owner
# 0xe10...  TCPv4  10.1.5.42     49721     185.220.101.42  443         ESTAB     3847  update.exe

Cross-reference suspicious connections with the process tree to identify C2 communications. Look for:

  • Connections to external IPs from unexpected processes
  • High port numbers connecting to port 443/80 from non-browser processes
  • Connections from svchost.exe or system processes to external IPs

Step 5: Detect Process Injection and Malware

Use malfind to identify injected code and memory-resident malware:

# Detect injected code in processes
vol -f memory.raw windows.malfind
 
# Output shows:
# PID  Process       Start      End        Tag  Protection  Hexdump/Disassembly
# 3847 explorer.exe  0x2a10000  0x2a14000  VadS PAGE_EXECUTE_READWRITE
# MZ header detected - injected PE
 
# Dump suspicious process memory
vol -f memory.raw windows.memmap --pid 3847 --dump
 
# List DLLs loaded by a suspicious process
vol -f memory.raw windows.dlllist --pid 3847
 
# Scan memory with YARA rules
vol -f memory.raw windows.yarascan --yara-file malware_rules.yar

Step 6: Extract Credentials and Artifacts

Recover sensitive data from memory:

# Dump registry hives from memory (for password hash extraction)
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.hashdump
 
# Extract command line history
vol -f memory.raw windows.cmdline
 
# List handles (files, registry keys, mutexes)
vol -f memory.raw windows.handles --pid 3847
 
# Extract clipboard contents
vol -f memory.raw windows.clipboard
 
# Dump cached files from memory
vol -f memory.raw windows.dumpfiles --pid 3847

Step 7: Generate Forensic Report

Compile findings into a structured analysis report documenting all evidence extracted from memory:

  • Process anomalies with PIDs, parent processes, and timestamps
  • Network connections with associated process context
  • Injected code regions with memory protection flags
  • Extracted IOCs (hashes, IPs, domains, mutexes, registry keys)
  • YARA rule matches with rule names and match offsets
  • Credential exposure (hashes found, accounts at risk)

Key Concepts

Term Definition
Volatile Evidence Data that exists only in RAM and is lost when a system is powered off; includes running processes, network connections, encryption keys
Process Injection Technique where malware inserts code into a legitimate process's memory space to evade detection (malfind detects this)
EPROCESS Windows kernel data structure representing a process; psscan searches for these structures even when unlinked from the active process list
VAD (Virtual Address Descriptor) Windows kernel structure tracking memory regions allocated to a process; malfind examines VADs for executable but non-file-backed regions
Symbol Tables OS-specific data structures that Volatility 3 uses to parse memory; downloaded automatically based on detected OS version
PAGE_EXECUTE_READWRITE Memory protection flag indicating a region is readable, writable, and executable; common indicator of injected malicious code
Memory-Resident Malware Malware that operates entirely in RAM without writing persistent files to disk, making it invisible to traditional disk-based antivirus

Tools & Systems

  • Volatility 3: Primary open-source memory forensics framework; Python 3 rewrite with automatic symbol resolution
  • WinPmem / DumpIt / Magnet RAM Capture: Memory acquisition tools for Windows systems
  • AVML (Acquire Volatile Memory for Linux): Microsoft's open-source Linux memory acquisition tool
  • YARA: Pattern matching engine for scanning memory dumps against malware signatures and behavioral rules
  • MemProcFS: Memory analysis tool that presents memory as a virtual file system for intuitive browsing

Common Scenarios

Scenario: Detecting Cobalt Strike Beacon in Memory

Context: EDR detects suspicious named pipe activity but cannot identify the source. A memory dump is acquired from the suspect endpoint for analysis.

Approach:

  1. Run windows.pstree to identify the process hierarchy and spot abnormal parent-child relationships
  2. Run windows.malfind to detect injected code regions, particularly in svchost.exe or rundll32.exe
  3. Dump the injected memory region and scan with YARA rules for Cobalt Strike beacon signatures
  4. Run windows.netscan to identify C2 connections and correlate with the injected process PID
  5. Extract the beacon configuration (C2 URLs, sleep time, jitter, watermark) using CobaltStrikeParser
  6. Run windows.cmdline to identify any post-exploitation commands executed

Pitfalls:

  • Analyzing only the process list without running malfind (missing injected code in legitimate processes)
  • Not capturing memory before isolating the endpoint (EDR containment may trigger malware self-deletion)
  • Using Volatility 2 profiles instead of Volatility 3 automatic symbol resolution on newer Windows versions

Output Format

MEMORY FORENSICS ANALYSIS REPORT
==================================
Incident:         INC-2025-1547
Evidence File:    WKSTN-042_20251115_1445.raw
SHA-256:          a4b3c2d1e5f6...
OS Identified:    Windows 10 22H2 (Build 19045)
Analysis Tool:    Volatility 3.2.0
 
PROCESS ANOMALIES
PID    Process         Parent       Anomaly
3847   update.exe      powershell   Suspicious executable in Temp directory
5102   svchost.exe     explorer     Wrong parent (expected services.exe)
---    [hidden]        ---          Found in psscan but not pslist
 
INJECTED CODE
PID    Process        Address Range        Protection              Finding
5102   svchost.exe    0x00A10000-0x00A14   PAGE_EXECUTE_READWRITE  MZ header (PE injection)
 
NETWORK CONNECTIONS
PID    Process      Local              Foreign             State
3847   update.exe   10.1.5.42:49721    185.220.101.42:443  ESTABLISHED
5102   svchost.exe  10.1.5.42:51003    91.215.85.17:8443   ESTABLISHED
 
YARA MATCHES
Rule: CobaltStrike_Beacon_x64
Match PID: 5102 (svchost.exe)
Offset: 0x00A10240
 
EXTRACTED IOCS
Hashes:     [SHA-256 of dumped injected code]
C2 IPs:     185.220.101.42, 91.215.85.17
C2 Domains: [extracted from beacon config]
Mutexes:    Global\MSCTF.Shared.MUTEX.ZRQ
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md2.3 KB

API Reference: Memory Forensics Agent (Volatility 3)

Overview

Automates memory forensics analysis using Volatility 3: process listing, network connections, process injection detection, command line extraction, and hidden driver/rootkit detection.

Dependencies

Package Version Purpose
volatility3 >=2.0 Memory forensics framework (subprocess)

CLI Usage

python agent.py --memory-file memory.raw --output forensics_report.json

Key Functions

run_volatility(memory_file, plugin, extra_args)

Executes a Volatility 3 plugin via subprocess and parses tab-delimited output into dictionaries.

analyze_processes(memory_file)

Runs windows.pslist and flags processes matching known offensive tools (mimikatz, cobalt, meterpreter, psexec).

analyze_network_connections(memory_file)

Runs windows.netscan to extract network connections and filters for ESTABLISHED state.

detect_process_injection(memory_file)

Runs windows.malfind to detect injected code in process memory (RWX pages with executable content).

analyze_dlls(memory_file, pid)

Lists loaded DLLs for a specific process or all processes via windows.dlllist.

extract_command_history(memory_file)

Runs windows.cmdline and flags suspicious patterns (encoded PowerShell, credential dumping, LOLBins).

check_kernel_modules(memory_file)

Compares windows.modules with windows.driverscan to detect hidden/rootkit drivers.

Volatility 3 Plugins Used

Plugin Purpose
windows.pslist List running processes
windows.netscan Extract network connections
windows.malfind Detect process injection
windows.dlllist List loaded DLLs
windows.cmdline Extract command line arguments
windows.registry.hivelist List registry hives
windows.modules List kernel modules
windows.driverscan Scan for driver objects

Suspicious Process Indicators

Processes flagged: mimikatz, procdump, psexec, cobalt, beacon, meterpreter, nc.exe, ncat, certutil, bitsadmin, mshta, regsvr32, wscript, cscript.

Suspicious Command Patterns

Commands flagged: powershell -enc, invoke-expression, downloadstring, net user, sekurlsa, lsadump, reg save, vssadmin, certutil -urlcache, bitsadmin /transfer.

Scripts 1

agent.py6.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Memory Forensics Agent - Automates Volatility 3 analysis of memory dumps for incident response."""

import json
import logging
import argparse
import subprocess
from datetime import datetime

logging.basicConfig(level=logging.INFO, format="%(asctime)s [%(levelname)s] %(message)s")
logger = logging.getLogger(__name__)


def run_volatility(memory_file, plugin, extra_args=None):
    """Execute a Volatility 3 plugin and return parsed output."""
    cmd = ["vol", "-f", memory_file, plugin]
    if extra_args:
        cmd.extend(extra_args)
    result = subprocess.run(cmd, capture_output=True, text=True, timeout=600)
    if result.returncode != 0:
        logger.error("Volatility plugin %s failed: %s", plugin, result.stderr[:200])
        return []
    lines = result.stdout.strip().split("\n")
    if len(lines) < 2:
        return []
    headers = [h.strip() for h in lines[0].split("\t")]
    rows = []
    for line in lines[1:]:
        if line.strip() and not line.startswith("*"):
            fields = [f.strip() for f in line.split("\t")]
            if len(fields) == len(headers):
                rows.append(dict(zip(headers, fields)))
    logger.info("Plugin %s returned %d rows", plugin, len(rows))
    return rows


def analyze_processes(memory_file):
    """List running processes and identify suspicious ones."""
    processes = run_volatility(memory_file, "windows.pslist")
    suspicious = []
    suspicious_names = [
        "mimikatz", "procdump", "psexec", "cobalt", "beacon", "meterpreter",
        "nc.exe", "ncat", "powershell", "cmd.exe", "wscript", "cscript",
        "certutil", "bitsadmin", "mshta", "regsvr32",
    ]
    for proc in processes:
        name = proc.get("ImageFileName", "").lower()
        if any(s in name for s in suspicious_names):
            proc["suspicious_reason"] = "Known offensive tool"
            suspicious.append(proc)
    logger.info("Processes: %d total, %d suspicious", len(processes), len(suspicious))
    return processes, suspicious


def analyze_network_connections(memory_file):
    """Extract network connections and identify C2 communication."""
    connections = run_volatility(memory_file, "windows.netscan")
    established = [c for c in connections if c.get("State") == "ESTABLISHED"]
    logger.info("Network connections: %d total, %d established", len(connections), len(established))
    return connections, established


def detect_process_injection(memory_file):
    """Detect process injection using malfind plugin."""
    malfind_results = run_volatility(memory_file, "windows.malfind")
    injected = []
    for entry in malfind_results:
        injected.append({
            "pid": entry.get("PID", ""),
            "process": entry.get("Process", ""),
            "start_vpn": entry.get("Start VPN", ""),
            "protection": entry.get("Protection", ""),
            "tag": entry.get("Tag", ""),
        })
    logger.info("Malfind: %d potential injections detected", len(injected))
    return injected


def analyze_dlls(memory_file, pid=None):
    """List loaded DLLs for a process or all processes."""
    args = ["--pid", str(pid)] if pid else None
    dlls = run_volatility(memory_file, "windows.dlllist", args)
    return dlls


def extract_command_history(memory_file):
    """Extract command line history from process memory."""
    cmdline = run_volatility(memory_file, "windows.cmdline")
    suspicious_cmds = []
    indicators = [
        "powershell -enc", "invoke-expression", "downloadstring", "net user",
        "mimikatz", "sekurlsa", "lsadump", "reg save", "vssadmin",
        "certutil -urlcache", "bitsadmin /transfer",
    ]
    for entry in cmdline:
        args = entry.get("Args", "").lower()
        if any(ind in args for ind in indicators):
            entry["suspicious_reason"] = "Suspicious command pattern"
            suspicious_cmds.append(entry)
    logger.info("Command lines: %d total, %d suspicious", len(cmdline), len(suspicious_cmds))
    return cmdline, suspicious_cmds


def extract_registry_hives(memory_file):
    """List registry hives in memory."""
    hives = run_volatility(memory_file, "windows.registry.hivelist")
    logger.info("Registry hives: %d found", len(hives))
    return hives


def check_kernel_modules(memory_file):
    """List kernel modules and detect potential rootkits."""
    modules = run_volatility(memory_file, "windows.modules")
    drivers = run_volatility(memory_file, "windows.driverscan")
    hidden = []
    module_names = {m.get("Name", "").lower() for m in modules}
    for driver in drivers:
        if driver.get("Name", "").lower() not in module_names:
            hidden.append(driver)
            logger.warning("Hidden driver detected: %s", driver.get("Name"))
    return modules, hidden


def generate_forensics_report(memory_file, processes, suspicious_procs, connections,
                               injections, suspicious_cmds, hidden_drivers):
    """Generate memory forensics analysis report."""
    report = {
        "memory_image": memory_file,
        "analysis_timestamp": datetime.utcnow().isoformat(),
        "process_summary": {
            "total": len(processes),
            "suspicious": len(suspicious_procs),
            "details": suspicious_procs[:20],
        },
        "network_connections": {
            "established": len(connections),
            "details": connections[:20],
        },
        "process_injection": {
            "count": len(injections),
            "details": injections[:20],
        },
        "suspicious_commands": suspicious_cmds[:20],
        "hidden_drivers": hidden_drivers,
    }
    total_findings = len(suspicious_procs) + len(injections) + len(suspicious_cmds) + len(hidden_drivers)
    print(f"MEMORY FORENSICS REPORT - {total_findings} findings")
    return report


def main():
    parser = argparse.ArgumentParser(description="Memory Forensics Agent (Volatility 3)")
    parser.add_argument("--memory-file", required=True, help="Path to memory dump file")
    parser.add_argument("--output", default="memory_forensics_report.json")
    args = parser.parse_args()

    processes, suspicious = analyze_processes(args.memory_file)
    connections, established = analyze_network_connections(args.memory_file)
    injections = detect_process_injection(args.memory_file)
    cmdlines, suspicious_cmds = extract_command_history(args.memory_file)
    modules, hidden = check_kernel_modules(args.memory_file)

    report = generate_forensics_report(
        args.memory_file, processes, suspicious, established,
        injections, suspicious_cmds, hidden,
    )
    with open(args.output, "w") as f:
        json.dump(report, f, indent=2)
    logger.info("Report saved to %s", args.output)


if __name__ == "__main__":
    main()
Keep exploring