conducting-memory-forensics-with-volatility

Conducting Memory Forensics with Volatility

When to Use

• An endpoint has been contained during an active incident and volatile evidence must be preserved
• EDR alerts suggest process injection or fileless malware that only exists in memory
• Encryption keys need to be recovered from a ransomware-infected system before shutdown
• Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
• A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient

Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.

Prerequisites

• Memory acquisition tool deployed or available: WinPmem, Magnet RAM Capture, DumpIt, or AVML (Linux)
• Volatility 3 installed with Python 3.8+ and required symbol tables
• Sufficient storage for memory dumps (equal to system RAM size, typically 8-64 GB)
• YARA rules for malware detection in memory (Florian Roth's signature-base, custom rules)
• Reference baseline of normal processes and DLLs for the OS version being analyzed
• Chain of custody documentation for evidence handling

Workflow

Step 1: Acquire Memory Image

Capture RAM from the target system using a forensically sound method:

Windows (WinPmem):

winpmem_mini_x64.exe output.raw

Windows (Magnet RAM Capture):

MagnetRAMCapture.exe
# GUI-based, select output path, generates .raw file

Windows (DumpIt):

DumpIt.exe
# Creates memory dump in current directory automatically

Linux (AVML - Acquire Volatile Memory for Linux):

./avml output.lime

Document acquisition metadata:

Acquisition Record:
━━━━━━━━━━━━━━━━━
Target Host:      WKSTN-042
RAM Size:         16 GB
Dump File:        WKSTN-042_20251115_1445.raw
Dump Size:        16,843,612,160 bytes
SHA-256:          a4b3c2d1e5f6...
Acquisition Tool: WinPmem 4.0
Acquired By:      [Analyst Name]
Timestamp:        2025-11-15T14:45:00Z

Step 2: Identify the Operating System and Profile

Volatility 3 automatically identifies the OS, but verify:

# Get system information
vol -f WKSTN-042_20251115_1445.raw windows.info

# Output includes:
# OS: Windows 10 22H2 (Build 19045.3693)
# Kernel Base: 0xf8066c200000
# DTB: 0x1aa000
# Symbols: ntkrnlmp.pdb

Step 3: Analyze Running Processes

Examine the process tree for suspicious activity:

# List all running processes
vol -f memory.raw windows.pslist

# Show process tree (parent-child relationships)
vol -f memory.raw windows.pstree

# Scan for hidden/unlinked processes (rootkit detection)
vol -f memory.raw windows.psscan

# Compare pslist vs psscan to find hidden processes
# Processes in psscan but NOT in pslist may be hidden by rootkits

Key indicators of compromise in process analysis:

• svchost.exe running without -k parameter or with wrong parent (should be services.exe)
• csrss.exe or lsass.exe with abnormal parent process
• Processes with misspelled names (scvhost.exe, lssas.exe)
• Unusual processes spawned by outlook.exe, winword.exe, or excel.exe
• Multiple instances of processes that should be singletons (lsass.exe, smss.exe)

Step 4: Investigate Network Connections

Extract active and recently closed network connections:

# List all network connections
vol -f memory.raw windows.netscan

# Focus output fields:
# Offset    Proto  LocalAddr     LocalPort  ForeignAddr    ForeignPort  State     PID  Owner
# 0xe10...  TCPv4  10.1.5.42     49721     185.220.101.42  443         ESTAB     3847  update.exe

Cross-reference suspicious connections with the process tree to identify C2 communications. Look for:

• Connections to external IPs from unexpected processes
• High port numbers connecting to port 443/80 from non-browser processes
• Connections from svchost.exe or system processes to external IPs

Step 5: Detect Process Injection and Malware

Use malfind to identify injected code and memory-resident malware:

# Detect injected code in processes
vol -f memory.raw windows.malfind

# Output shows:
# PID  Process       Start      End        Tag  Protection  Hexdump/Disassembly
# 3847 explorer.exe  0x2a10000  0x2a14000  VadS PAGE_EXECUTE_READWRITE
# MZ header detected - injected PE

# Dump suspicious process memory
vol -f memory.raw windows.memmap --pid 3847 --dump

# List DLLs loaded by a suspicious process
vol -f memory.raw windows.dlllist --pid 3847

# Scan memory with YARA rules
vol -f memory.raw windows.yarascan --yara-file malware_rules.yar

Step 6: Extract Credentials and Artifacts

Recover sensitive data from memory:

# Dump registry hives from memory (for password hash extraction)
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.hashdump

# Extract command line history
vol -f memory.raw windows.cmdline

# List handles (files, registry keys, mutexes)
vol -f memory.raw windows.handles --pid 3847

# Extract clipboard contents
vol -f memory.raw windows.clipboard

# Dump cached files from memory
vol -f memory.raw windows.dumpfiles --pid 3847

Step 7: Generate Forensic Report

Compile findings into a structured analysis report documenting all evidence extracted from memory:

• Process anomalies with PIDs, parent processes, and timestamps
• Network connections with associated process context
• Injected code regions with memory protection flags
• Extracted IOCs (hashes, IPs, domains, mutexes, registry keys)
• YARA rule matches with rule names and match offsets
• Credential exposure (hashes found, accounts at risk)

Key Concepts

Term	Definition
Volatile Evidence	Data that exists only in RAM and is lost when a system is powered off; includes running processes, network connections, encryption keys
Process Injection	Technique where malware inserts code into a legitimate process's memory space to evade detection (malfind detects this)
EPROCESS	Windows kernel data structure representing a process; psscan searches for these structures even when unlinked from the active process list
VAD (Virtual Address Descriptor)	Windows kernel structure tracking memory regions allocated to a process; malfind examines VADs for executable but non-file-backed regions
Symbol Tables	OS-specific data structures that Volatility 3 uses to parse memory; downloaded automatically based on detected OS version
PAGE_EXECUTE_READWRITE	Memory protection flag indicating a region is readable, writable, and executable; common indicator of injected malicious code
Memory-Resident Malware	Malware that operates entirely in RAM without writing persistent files to disk, making it invisible to traditional disk-based antivirus

Tools & Systems

• Volatility 3: Primary open-source memory forensics framework; Python 3 rewrite with automatic symbol resolution
• WinPmem / DumpIt / Magnet RAM Capture: Memory acquisition tools for Windows systems
• AVML (Acquire Volatile Memory for Linux): Microsoft's open-source Linux memory acquisition tool
• YARA: Pattern matching engine for scanning memory dumps against malware signatures and behavioral rules
• MemProcFS: Memory analysis tool that presents memory as a virtual file system for intuitive browsing

Common Scenarios

Scenario: Detecting Cobalt Strike Beacon in Memory

Context: EDR detects suspicious named pipe activity but cannot identify the source. A memory dump is acquired from the suspect endpoint for analysis.

Approach:

1. Run windows.pstree to identify the process hierarchy and spot abnormal parent-child relationships
2. Run windows.malfind to detect injected code regions, particularly in svchost.exe or rundll32.exe
3. Dump the injected memory region and scan with YARA rules for Cobalt Strike beacon signatures
4. Run windows.netscan to identify C2 connections and correlate with the injected process PID
5. Extract the beacon configuration (C2 URLs, sleep time, jitter, watermark) using CobaltStrikeParser
6. Run windows.cmdline to identify any post-exploitation commands executed

Pitfalls:

• Analyzing only the process list without running malfind (missing injected code in legitimate processes)
• Not capturing memory before isolating the endpoint (EDR containment may trigger malware self-deletion)
• Using Volatility 2 profiles instead of Volatility 3 automatic symbol resolution on newer Windows versions

Output Format

MEMORY FORENSICS ANALYSIS REPORT
==================================
Incident:         INC-2025-1547
Evidence File:    WKSTN-042_20251115_1445.raw
SHA-256:          a4b3c2d1e5f6...
OS Identified:    Windows 10 22H2 (Build 19045)
Analysis Tool:    Volatility 3.2.0

PROCESS ANOMALIES
PID    Process         Parent       Anomaly
3847   update.exe      powershell   Suspicious executable in Temp directory
5102   svchost.exe     explorer     Wrong parent (expected services.exe)
---    [hidden]        ---          Found in psscan but not pslist

INJECTED CODE
PID    Process        Address Range        Protection              Finding
5102   svchost.exe    0x00A10000-0x00A14   PAGE_EXECUTE_READWRITE  MZ header (PE injection)

NETWORK CONNECTIONS
PID    Process      Local              Foreign             State
3847   update.exe   10.1.5.42:49721    185.220.101.42:443  ESTABLISHED
5102   svchost.exe  10.1.5.42:51003    91.215.85.17:8443   ESTABLISHED

YARA MATCHES
Rule: CobaltStrike_Beacon_x64
Match PID: 5102 (svchost.exe)
Offset: 0x00A10240

EXTRACTED IOCS
Hashes:     [SHA-256 of dumped injected code]
C2 IPs:     185.220.101.42, 91.215.85.17
C2 Domains: [extracted from beacon config]
Mutexes:    Global\MSCTF.Shared.MUTEX.ZRQ