Memory Forensics

1---2name: memory-forensics3description: Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.4---5 6# Memory Forensics7 8Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.9 10## Memory Acquisition11 12### Live Acquisition Tools13 14#### Windows15 16```powershell17# WinPmem (Recommended)18winpmem_mini_x64.exe memory.raw19 20# DumpIt21DumpIt.exe22 23# Belkasoft RAM Capturer24# GUI-based, outputs raw format25 26# Magnet RAM Capture27# GUI-based, outputs raw format28```29 30#### Linux31 32```bash33# LiME (Linux Memory Extractor)34sudo insmod lime.ko "path=/tmp/memory.lime format=lime"35 36# /dev/mem (limited, requires permissions)37sudo dd if=/dev/mem of=memory.raw bs=1M38 39# /proc/kcore (ELF format)40sudo cp /proc/kcore memory.elf41```42 43#### macOS44 45```bash46# osxpmem47sudo ./osxpmem -o memory.raw48 49# MacQuisition (commercial)50```51 52### Virtual Machine Memory53 54```bash55# VMware: .vmem file is raw memory56cp vm.vmem memory.raw57 58# VirtualBox: Use debug console59vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf60 61# QEMU62virsh dump <domain> memory.raw --memory-only63 64# Hyper-V65# Checkpoint contains memory state66```67 68## Volatility 3 Framework69 70### Installation and Setup71 72```bash73# Install Volatility 374pip install volatility375 76# Install symbol tables (Windows)77# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/78 79# Basic usage80vol -f memory.raw <plugin>81 82# With symbol path83vol -f memory.raw -s /path/to/symbols windows.pslist84```85 86### Essential Plugins87 88#### Process Analysis89 90```bash91# List processes92vol -f memory.raw windows.pslist93 94# Process tree (parent-child relationships)95vol -f memory.raw windows.pstree96 97# Hidden process detection98vol -f memory.raw windows.psscan99 100# Process memory dumps101vol -f memory.raw windows.memmap --pid <PID> --dump102 103# Process environment variables104vol -f memory.raw windows.envars --pid <PID>105 106# Command line arguments107vol -f memory.raw windows.cmdline108```109 110#### Network Analysis111 112```bash113# Network connections114vol -f memory.raw windows.netscan115 116# Network connection state117vol -f memory.raw windows.netstat118```119 120#### DLL and Module Analysis121 122```bash123# Loaded DLLs per process124vol -f memory.raw windows.dlllist --pid <PID>125 126# Find hidden/injected DLLs127vol -f memory.raw windows.ldrmodules128 129# Kernel modules130vol -f memory.raw windows.modules131 132# Module dumps133vol -f memory.raw windows.moddump --pid <PID>134```135 136#### Memory Injection Detection137 138```bash139# Detect code injection140vol -f memory.raw windows.malfind141 142# VAD (Virtual Address Descriptor) analysis143vol -f memory.raw windows.vadinfo --pid <PID>144 145# Dump suspicious memory regions146vol -f memory.raw windows.vadyarascan --yara-rules rules.yar147```148 149#### Registry Analysis150 151```bash152# List registry hives153vol -f memory.raw windows.registry.hivelist154 155# Print registry key156vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"157 158# Dump registry hive159vol -f memory.raw windows.registry.hivescan --dump160```161 162#### File System Artifacts163 164```bash165# Scan for file objects166vol -f memory.raw windows.filescan167 168# Dump files from memory169vol -f memory.raw windows.dumpfiles --pid <PID>170 171# MFT analysis172vol -f memory.raw windows.mftscan173```174 175### Linux Analysis176 177```bash178# Process listing179vol -f memory.raw linux.pslist180 181# Process tree182vol -f memory.raw linux.pstree183 184# Bash history185vol -f memory.raw linux.bash186 187# Network connections188vol -f memory.raw linux.sockstat189 190# Loaded kernel modules191vol -f memory.raw linux.lsmod192 193# Mount points194vol -f memory.raw linux.mount195 196# Environment variables197vol -f memory.raw linux.envars198```199 200### macOS Analysis201 202```bash203# Process listing204vol -f memory.raw mac.pslist205 206# Process tree207vol -f memory.raw mac.pstree208 209# Network connections210vol -f memory.raw mac.netstat211 212# Kernel extensions213vol -f memory.raw mac.lsmod214```215 216## Analysis Workflows217 218### Malware Analysis Workflow219 220```bash221# 1. Initial process survey222vol -f memory.raw windows.pstree > processes.txt223vol -f memory.raw windows.pslist > pslist.txt224 225# 2. Network connections226vol -f memory.raw windows.netscan > network.txt227 228# 3. Detect injection229vol -f memory.raw windows.malfind > malfind.txt230 231# 4. Analyze suspicious processes232vol -f memory.raw windows.dlllist --pid <PID>233vol -f memory.raw windows.handles --pid <PID>234 235# 5. Dump suspicious executables236vol -f memory.raw windows.pslist --pid <PID> --dump237 238# 6. Extract strings from dumps239strings -a pid.<PID>.exe > strings.txt240 241# 7. YARA scanning242vol -f memory.raw windows.yarascan --yara-rules malware.yar243```244 245### Incident Response Workflow246 247```bash248# 1. Timeline of events249vol -f memory.raw windows.timeliner > timeline.csv250 251# 2. User activity252vol -f memory.raw windows.cmdline253vol -f memory.raw windows.consoles254 255# 3. Persistence mechanisms256vol -f memory.raw windows.registry.printkey \257    --key "Software\Microsoft\Windows\CurrentVersion\Run"258 259# 4. Services260vol -f memory.raw windows.svcscan261 262# 5. Scheduled tasks263vol -f memory.raw windows.scheduled_tasks264 265# 6. Recent files266vol -f memory.raw windows.filescan | grep -i "recent"267```268 269## Data Structures270 271### Windows Process Structures272 273```c274// EPROCESS (Executive Process)275typedef struct _EPROCESS {276    KPROCESS Pcb;                    // Kernel process block277    EX_PUSH_LOCK ProcessLock;278    LARGE_INTEGER CreateTime;279    LARGE_INTEGER ExitTime;280    // ...281    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list282    ULONG_PTR UniqueProcessId;       // PID283    // ...284    PEB* Peb;                        // Process Environment Block285    // ...286} EPROCESS;287 288// PEB (Process Environment Block)289typedef struct _PEB {290    BOOLEAN InheritedAddressSpace;291    BOOLEAN ReadImageFileExecOptions;292    BOOLEAN BeingDebugged;           // Anti-debug check293    // ...294    PVOID ImageBaseAddress;          // Base address of executable295    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)296    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;297    // ...298} PEB;299```300 301### VAD (Virtual Address Descriptor)302 303```c304typedef struct _MMVAD {305    MMVAD_SHORT Core;306    union {307        ULONG LongFlags;308        MMVAD_FLAGS VadFlags;309    } u;310    // ...311    PVOID FirstPrototypePte;312    PVOID LastContiguousPte;313    // ...314    PFILE_OBJECT FileObject;315} MMVAD;316 317// Memory protection flags318#define PAGE_EXECUTE           0x10319#define PAGE_EXECUTE_READ      0x20320#define PAGE_EXECUTE_READWRITE 0x40321#define PAGE_EXECUTE_WRITECOPY 0x80322```323 324## Detection Patterns325 326### Process Injection Indicators327 328```python329# Malfind indicators330# - PAGE_EXECUTE_READWRITE protection (suspicious)331# - MZ header in non-image VAD region332# - Shellcode patterns at allocation start333 334# Common injection techniques335# 1. Classic DLL Injection336#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread337 338# 2. Process Hollowing339#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory340 341# 3. APC Injection342#    - QueueUserAPC targeting alertable threads343 344# 4. Thread Execution Hijacking345#    - SuspendThread + SetThreadContext + ResumeThread346```347 348### Rootkit Detection349 350```bash351# Compare process lists352vol -f memory.raw windows.pslist > pslist.txt353vol -f memory.raw windows.psscan > psscan.txt354diff pslist.txt psscan.txt  # Hidden processes355 356# Check for DKOM (Direct Kernel Object Manipulation)357vol -f memory.raw windows.callbacks358 359# Detect hooked functions360vol -f memory.raw windows.ssdt  # System Service Descriptor Table361 362# Driver analysis363vol -f memory.raw windows.driverscan364vol -f memory.raw windows.driverirp365```366 367### Credential Extraction368 369```bash370# Dump hashes (requires hivelist first)371vol -f memory.raw windows.hashdump372 373# LSA secrets374vol -f memory.raw windows.lsadump375 376# Cached domain credentials377vol -f memory.raw windows.cachedump378 379# Mimikatz-style extraction380# Requires specific plugins/tools381```382 383## YARA Integration384 385### Writing Memory YARA Rules386 387```yara388rule Suspicious_Injection389{390    meta:391        description = "Detects common injection shellcode"392 393    strings:394        // Common shellcode patterns395        $mz = { 4D 5A }396        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue397        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call398 399    condition:400        $mz at 0 or any of ($shellcode*)401}402 403rule Cobalt_Strike_Beacon404{405    meta:406        description = "Detects Cobalt Strike beacon in memory"407 408    strings:409        $config = { 00 01 00 01 00 02 }410        $sleep = "sleeptime"411        $beacon = "%s (admin)" wide412 413    condition:414        2 of them415}416```417 418### Scanning Memory419 420```bash421# Scan all process memory422vol -f memory.raw windows.yarascan --yara-rules rules.yar423 424# Scan specific process425vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234426 427# Scan kernel memory428vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel429```430 431## String Analysis432 433### Extracting Strings434 435```bash436# Basic string extraction437strings -a memory.raw > all_strings.txt438 439# Unicode strings440strings -el memory.raw >> all_strings.txt441 442# Targeted extraction from process dump443vol -f memory.raw windows.memmap --pid 1234 --dump444strings -a pid.1234.dmp > process_strings.txt445 446# Pattern matching447grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt448```449 450### FLOSS for Obfuscated Strings451 452```bash453# FLOSS extracts obfuscated strings454floss malware.exe > floss_output.txt455 456# From memory dump457floss pid.1234.dmp458```459 460## Best Practices461 462### Acquisition Best Practices463 4641. **Minimize footprint**: Use lightweight acquisition tools4652. **Document everything**: Record time, tool, and hash of capture4663. **Verify integrity**: Hash memory dump immediately after capture4674. **Chain of custody**: Maintain proper forensic handling468 469### Analysis Best Practices470 4711. **Start broad**: Get overview before deep diving4722. **Cross-reference**: Use multiple plugins for same data4733. **Timeline correlation**: Correlate memory findings with disk/network4744. **Document findings**: Keep detailed notes and screenshots4755. **Validate results**: Verify findings through multiple methods476 477### Common Pitfalls478 479- **Stale data**: Memory is volatile, analyze promptly480- **Incomplete dumps**: Verify dump size matches expected RAM481- **Symbol issues**: Ensure correct symbol files for OS version482- **Smear**: Memory may change during acquisition483- **Encryption**: Some data may be encrypted in memory