digital forensics

Performing Memory Forensics with Volatility 3

Analyze volatile memory dumps using Volatility 3 to extract running processes, network connections, loaded modules, and evidence of malicious activity.

forensicsincident-responsemalware-detectionmemory-forensicsram-analysisvolatility
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When analyzing a RAM dump from a compromised or suspect system
  • During incident response to identify running malware, injected code, or rootkits
  • When you need to extract credentials, encryption keys, or network connections from memory
  • For detecting process hollowing, DLL injection, or hidden processes
  • When disk-based forensics alone is insufficient and volatile data is critical

Prerequisites

  • Python 3.7+ installed
  • Volatility 3 framework installed (pip install volatility3)
  • Memory dump in raw, ELF, or crash dump format
  • Appropriate symbol tables (ISF files) for the target OS version
  • Sufficient disk space for analysis output (2-3x memory dump size)
  • Optional: YARA rules for malware scanning in memory

Workflow

Step 1: Acquire Memory Dump and Install Volatility 3

# Install Volatility 3
pip install volatility3
 
# Or install from source for latest features
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip install -e .
 
# Download Windows symbol tables (ISF packs)
# Place in volatility3/symbols/ directory
wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
unzip windows.zip -d /opt/volatility3/volatility3/symbols/
 
# Download Linux and Mac symbol packs
wget https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
wget https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip
 
# Memory acquisition tools (for live systems):
# Windows: winpmem, DumpIt, FTK Imager
# Linux: LiME (Linux Memory Extractor)
sudo insmod lime-$(uname -r).ko "path=/cases/memory/linux_mem.lime format=lime"
 
# Verify the memory dump
file /cases/case-2024-001/memory/memory.raw
ls -lh /cases/case-2024-001/memory/memory.raw

Step 2: Identify the Operating System Profile

# Run banners plugin to identify the OS
vol -f /cases/case-2024-001/memory/memory.raw banners
 
# For Windows, identify the OS version
vol -f /cases/case-2024-001/memory/memory.raw windows.info
 
# Output example:
# Variable        Value
# Kernel Base     0xf8047e200000
# DTB             0x1ad000
# Symbols         ntkrnlmp.pdb/GUID
# Is64Bit         True
# IsPAE           False
# primary layer   Intel32e
# KdVersionBlock  0xf8047ee232c0
# Major/Minor     15.19041
# Machine Type    34404
# KeNumberProcessors 4
# SystemTime      2024-01-18 14:32:15 UTC
# NtBuildLab      19041.1.amd64fre.vb_release.191206-1406
# NtProductType   NtProductWinNt
# NtSystemRoot    C:\WINDOWS
# PE MajorOperatingSystemVersion 10
# PE MinorOperatingSystemVersion 0
 
# For Linux memory dumps
vol -f /cases/case-2024-001/memory/linux_mem.lime linux.info

Step 3: Enumerate Processes and Detect Anomalies

# List all running processes
vol -f /cases/case-2024-001/memory/memory.raw windows.pslist | tee /cases/case-2024-001/analysis/pslist.txt
 
# Show process tree (parent-child relationships)
vol -f /cases/case-2024-001/memory/memory.raw windows.pstree | tee /cases/case-2024-001/analysis/pstree.txt
 
# Detect hidden processes using cross-view analysis
vol -f /cases/case-2024-001/memory/memory.raw windows.psscan | tee /cases/case-2024-001/analysis/psscan.txt
 
# Compare pslist vs psscan to find hidden processes
diff <(vol -f memory.raw windows.pslist | awk '{print $1}' | sort) \
     <(vol -f memory.raw windows.psscan | awk '{print $1}' | sort)
 
# List DLLs loaded by a suspicious process (PID 4532)
vol -f /cases/case-2024-001/memory/memory.raw windows.dlllist --pid 4532
 
# Check for process hollowing and injection
vol -f /cases/case-2024-001/memory/memory.raw windows.malfind | tee /cases/case-2024-001/analysis/malfind.txt
 
# Dump suspicious process memory for further analysis
vol -f /cases/case-2024-001/memory/memory.raw windows.memmap --pid 4532 --dump \
   -o /cases/case-2024-001/analysis/dumps/

Step 4: Analyze Network Connections and Registry

# List active network connections
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | tee /cases/case-2024-001/analysis/netscan.txt
 
# Filter for established connections
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | grep ESTABLISHED
 
# Filter for listening ports
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | grep LISTENING
 
# Extract network connections with process mapping
vol -f /cases/case-2024-001/memory/memory.raw windows.netstat | tee /cases/case-2024-001/analysis/netstat.txt
 
# Dump registry hives from memory
vol -f /cases/case-2024-001/memory/memory.raw windows.registry.hivelist
 
# Extract specific registry keys
vol -f /cases/case-2024-001/memory/memory.raw windows.registry.printkey \
   --key "Software\Microsoft\Windows\CurrentVersion\Run"
 
# Check services
vol -f /cases/case-2024-001/memory/memory.raw windows.svcscan | tee /cases/case-2024-001/analysis/services.txt

Step 5: Extract Credentials and Sensitive Data

# Dump cached credentials (hashdump)
vol -f /cases/case-2024-001/memory/memory.raw windows.hashdump | tee /cases/case-2024-001/analysis/hashes.txt
 
# Extract LSA secrets
vol -f /cases/case-2024-001/memory/memory.raw windows.lsadump
 
# Dump cached domain credentials
vol -f /cases/case-2024-001/memory/memory.raw windows.cachedump
 
# Search for plaintext strings in process memory
vol -f /cases/case-2024-001/memory/memory.raw windows.strings --pid 4532 \
   | grep -iE '(password|credential|token|api.key)'
 
# Extract command history from cmd.exe/powershell
vol -f /cases/case-2024-001/memory/memory.raw windows.cmdline | tee /cases/case-2024-001/analysis/cmdline.txt
 
# Extract environment variables
vol -f /cases/case-2024-001/memory/memory.raw windows.envars --pid 4532

Step 6: Scan for Malware with YARA Rules

# Scan memory with YARA rules
vol -f /cases/case-2024-001/memory/memory.raw yarascan \
   --yara-file /opt/yara-rules/malware_index.yar | tee /cases/case-2024-001/analysis/yara_hits.txt
 
# Scan specific process memory
vol -f /cases/case-2024-001/memory/memory.raw yarascan \
   --yara-file /opt/yara-rules/apt_rules.yar --pid 4532
 
# Check loaded kernel modules for rootkits
vol -f /cases/case-2024-001/memory/memory.raw windows.modules | tee /cases/case-2024-001/analysis/modules.txt
 
# Detect unlinked/hidden modules
vol -f /cases/case-2024-001/memory/memory.raw windows.modscan | tee /cases/case-2024-001/analysis/modscan.txt
 
# Check for SSDT hooks (System Service Descriptor Table)
vol -f /cases/case-2024-001/memory/memory.raw windows.ssdt | grep -v "ntoskrnl\|win32k"
 
# Dump a suspicious executable from memory
vol -f /cases/case-2024-001/memory/memory.raw windows.dumpfiles --pid 4532 \
   -o /cases/case-2024-001/analysis/extracted/

Step 7: Compile Findings into a Report

# Generate comprehensive analysis summary
echo "=== MEMORY FORENSICS REPORT ===" > /cases/case-2024-001/analysis/memory_report.txt
echo "Image: memory.raw" >> /cases/case-2024-001/analysis/memory_report.txt
echo "OS: Windows 10 Build 19041" >> /cases/case-2024-001/analysis/memory_report.txt
echo "" >> /cases/case-2024-001/analysis/memory_report.txt
 
echo "--- Suspicious Processes ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/malfind.txt >> /cases/case-2024-001/analysis/memory_report.txt
 
echo "--- Network Connections ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/netscan.txt >> /cases/case-2024-001/analysis/memory_report.txt
 
echo "--- YARA Matches ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/yara_hits.txt >> /cases/case-2024-001/analysis/memory_report.txt
 
# Calculate hash of the memory dump for integrity
sha256sum /cases/case-2024-001/memory/memory.raw >> /cases/case-2024-001/analysis/memory_report.txt

Key Concepts

Concept Description
Volatile data Information that exists only in RAM and is lost when power is removed
Process hollowing Technique where malware replaces legitimate process memory with malicious code
DLL injection Loading unauthorized DLLs into a running process address space
EPROCESS Windows kernel structure representing a process; basis for process listing
Pool scanning Searching memory for kernel object signatures to find hidden artifacts
VAD (Virtual Address Descriptor) Memory management structure tracking process virtual memory regions
ISF (Intermediate Symbol Format) Volatility 3 symbol table format for OS-specific structure definitions
Malfind Plugin detecting injected code by examining VAD permissions and content

Tools & Systems

Tool Purpose
Volatility 3 Primary open-source memory forensics framework
LiME Linux Memory Extractor for acquiring Linux RAM dumps
WinPmem Windows physical memory acquisition driver
DumpIt Comae one-click Windows memory dump utility
YARA Pattern matching engine for malware signature scanning
Rekall Alternative memory forensics framework (Google)
MemProcFS Memory process file system for memory analysis
strings Extract printable strings from binary memory dumps

Common Scenarios

Scenario 1: Active Malware Investigation Acquire memory with DumpIt, run pslist/pstree to identify suspicious processes, use malfind to detect injected code in svchost.exe, dump the injected memory segment, scan with YARA rules identifying Cobalt Strike beacon, extract C2 IP from netscan, correlate with network logs.

Scenario 2: Credential Theft After Breach Run hashdump and lsadump to extract cached credentials, identify mimikatz execution in cmdline output, check for lsass.exe memory dumps in filesystem artifacts, correlate with lateral movement evidence in network connections.

Scenario 3: Rootkit Detection Compare pslist (uses EPROCESS linked list) with psscan (pool scanning) to find unlinked processes, check modules vs modscan for hidden kernel drivers, examine SSDT for hooks redirecting system calls, dump suspicious modules for static analysis.

Scenario 4: Ransomware Incident Recovery Extract encryption keys from ransomware process memory before system shutdown, identify the ransomware variant using YARA, find the initial execution point through command line artifacts, map lateral movement via network connections.

Output Format

Memory Forensics Analysis:
  Image:            memory.raw (16 GB)
  OS Identified:    Windows 10 x64 Build 19041
  Capture Time:     2024-01-18 14:32:15 UTC
 
  Process Analysis:
    Total Processes:    87
    Hidden Processes:   2 (PIDs: 4532, 6128)
    Injected Processes: 3 (malfind detections)
    Suspicious:         svchost.exe (PID 4532) - injected code at 0x7FFE0000
 
  Network Connections:
    Total:        45
    Established:  12
    Suspicious:   3 (C2 connections to 185.xx.xx.xx:443)
 
  Credentials Found:
    NTLM Hashes:      4 accounts
    Cached Creds:      2 domain accounts
 
  YARA Matches:
    CobaltStrike_Beacon:  PID 4532 (3 hits)
    Mimikatz_Memory:      PID 6128 (1 hit)
 
  Extracted Artifacts:   15 files dumped to /analysis/extracted/
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.8 KB

API Reference: Memory Forensics with Volatility 3

Volatility 3 CLI

Plugin Description
windows.info OS version, kernel base, system time
windows.pslist List processes via EPROCESS linked list
windows.pstree Process tree with parent-child relationships
windows.psscan Pool scan for processes (finds hidden)
windows.malfind Detect injected code in process memory
windows.netscan Active network connections and listening ports
windows.cmdline Command line arguments for all processes
windows.dlllist DLLs loaded per process
windows.hashdump Extract cached NTLM password hashes
windows.lsadump LSA secrets from memory
windows.svcscan Windows services enumeration
windows.modules Loaded kernel modules
windows.modscan Pool scan for kernel modules (finds hidden)
windows.registry.hivelist List registry hives in memory
windows.registry.printkey Print specific registry key values
yarascan Scan memory with YARA rules
windows.memmap Dump process memory to disk

Common Flags

Flag Description
-f <file> Memory dump file path
--pid <pid> Filter by process ID
--dump Dump matched content to files
-o <dir> Output directory for dumps
--yara-file <file> YARA rules file for scanning

Python Libraries

Library Version Purpose
subprocess stdlib Execute Volatility 3 CLI commands
re stdlib Parse plugin output

References

Scripts 1

agent.py5.6 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Agent for performing memory forensics with Volatility 3.

Automates memory dump analysis including process enumeration,
network connection extraction, malware detection, and credential
extraction using Volatility 3 framework via subprocess.
"""

import subprocess
import json
import sys
import re
from pathlib import Path


class MemoryForensicsAgent:
    """Automates Volatility 3 memory forensics analysis."""

    def __init__(self, memory_dump, output_dir):
        self.memory_dump = memory_dump
        self.output_dir = Path(output_dir)
        self.output_dir.mkdir(parents=True, exist_ok=True)

    def _run_vol(self, plugin, extra_args=None):
        """Execute a Volatility 3 plugin and return output."""
        cmd = ["vol", "-f", self.memory_dump, plugin]
        if extra_args:
            cmd.extend(extra_args)
        result = subprocess.run(cmd, capture_output=True, text=True, timeout=300)
        return {"output": result.stdout, "stderr": result.stderr, "rc": result.returncode}

    def get_os_info(self):
        """Identify the operating system from the memory dump."""
        result = self._run_vol("windows.info")
        if result["rc"] != 0:
            result = self._run_vol("linux.info")
        return result

    def list_processes(self):
        """List all running processes."""
        return self._run_vol("windows.pslist")

    def get_process_tree(self):
        """Show process tree with parent-child relationships."""
        return self._run_vol("windows.pstree")

    def scan_hidden_processes(self):
        """Scan for hidden/unlinked processes via pool scanning."""
        return self._run_vol("windows.psscan")

    def detect_injected_code(self):
        """Detect process injection via malfind plugin."""
        return self._run_vol("windows.malfind")

    def get_network_connections(self):
        """Extract active network connections."""
        return self._run_vol("windows.netscan")

    def get_command_lines(self):
        """Extract command lines for all processes."""
        return self._run_vol("windows.cmdline")

    def dump_process_memory(self, pid):
        """Dump memory of a specific process."""
        dump_dir = self.output_dir / "process_dumps"
        dump_dir.mkdir(exist_ok=True)
        return self._run_vol("windows.memmap", [
            "--pid", str(pid), "--dump", "-o", str(dump_dir)
        ])

    def extract_hashes(self):
        """Extract cached password hashes."""
        return self._run_vol("windows.hashdump")

    def scan_with_yara(self, yara_file):
        """Scan memory with YARA rules."""
        return self._run_vol("yarascan", ["--yara-file", yara_file])

    def get_registry_keys(self, key_path):
        """Extract specific registry keys from memory."""
        return self._run_vol("windows.registry.printkey", ["--key", key_path])

    def list_services(self):
        """List Windows services from memory."""
        return self._run_vol("windows.svcscan")

    def list_loaded_modules(self):
        """List loaded kernel modules."""
        return self._run_vol("windows.modules")

    def scan_hidden_modules(self):
        """Scan for hidden kernel modules."""
        return self._run_vol("windows.modscan")

    def get_dll_list(self, pid=None):
        """List DLLs loaded by processes."""
        args = ["--pid", str(pid)] if pid else []
        return self._run_vol("windows.dlllist", args if args else None)

    def detect_anomalies(self):
        """Compare pslist vs psscan to find hidden processes."""
        pslist = self._run_vol("windows.pslist")
        psscan = self._run_vol("windows.psscan")

        pslist_pids = set(re.findall(r"^\s*(\d+)\s", pslist["output"], re.MULTILINE))
        psscan_pids = set(re.findall(r"^\s*(\d+)\s", psscan["output"], re.MULTILINE))

        hidden = psscan_pids - pslist_pids
        return {
            "pslist_count": len(pslist_pids),
            "psscan_count": len(psscan_pids),
            "hidden_pids": sorted(hidden),
            "hidden_count": len(hidden),
        }

    def generate_report(self, yara_file=None):
        """Run comprehensive memory analysis and generate report."""
        report = {
            "memory_dump": self.memory_dump,
            "os_info": self.get_os_info()["output"][:500],
        }

        report["process_list"] = self.list_processes()["output"]
        report["process_tree"] = self.get_process_tree()["output"]
        report["malfind"] = self.detect_injected_code()["output"]
        report["network"] = self.get_network_connections()["output"]
        report["cmdline"] = self.get_command_lines()["output"]
        report["hashes"] = self.extract_hashes()["output"]
        report["services"] = self.list_services()["output"][:2000]
        report["hidden_processes"] = self.detect_anomalies()

        if yara_file:
            report["yara_hits"] = self.scan_with_yara(yara_file)["output"]

        report_path = self.output_dir / "memory_forensics_report.json"
        with open(report_path, "w") as f:
            json.dump(report, f, indent=2)

        print(f"Memory Forensics Report: {report_path}")
        print(f"Hidden processes: {report['hidden_processes']['hidden_count']}")
        if report["malfind"]["output"].strip():
            print("Malfind detections found - check report for details")
        return report


def main():
    if len(sys.argv) < 3:
        print("Usage: agent.py <memory_dump> <output_dir> [yara_rules]")
        sys.exit(1)

    memory_dump = sys.argv[1]
    output_dir = sys.argv[2]
    yara_file = sys.argv[3] if len(sys.argv) > 3 else None

    agent = MemoryForensicsAgent(memory_dump, output_dir)
    agent.generate_report(yara_file)


if __name__ == "__main__":
    main()
Keep exploring