Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.
Add this skill
npx mdskills install sickn33/memory-forensicsComprehensive memory forensics reference with extensive Volatility commands and multi-OS coverage
1---2name: memory-forensics3description: Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.4---56# Memory Forensics78Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.910## Use this skill when1112- Working on memory forensics tasks or workflows13- Needing guidance, best practices, or checklists for memory forensics1415## Do not use this skill when1617- The task is unrelated to memory forensics18- You need a different domain or tool outside this scope1920## Instructions2122- Clarify goals, constraints, and required inputs.23- Apply relevant best practices and validate outcomes.24- Provide actionable steps and verification.25- If detailed examples are required, open `resources/implementation-playbook.md`.2627## Memory Acquisition2829### Live Acquisition Tools3031#### Windows32```powershell33# WinPmem (Recommended)34winpmem_mini_x64.exe memory.raw3536# DumpIt37DumpIt.exe3839# Belkasoft RAM Capturer40# GUI-based, outputs raw format4142# Magnet RAM Capture43# GUI-based, outputs raw format44```4546#### Linux47```bash48# LiME (Linux Memory Extractor)49sudo insmod lime.ko "path=/tmp/memory.lime format=lime"5051# /dev/mem (limited, requires permissions)52sudo dd if=/dev/mem of=memory.raw bs=1M5354# /proc/kcore (ELF format)55sudo cp /proc/kcore memory.elf56```5758#### macOS59```bash60# osxpmem61sudo ./osxpmem -o memory.raw6263# MacQuisition (commercial)64```6566### Virtual Machine Memory6768```bash69# VMware: .vmem file is raw memory70cp vm.vmem memory.raw7172# VirtualBox: Use debug console73vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf7475# QEMU76virsh dump <domain> memory.raw --memory-only7778# Hyper-V79# Checkpoint contains memory state80```8182## Volatility 3 Framework8384### Installation and Setup8586```bash87# Install Volatility 388pip install volatility38990# Install symbol tables (Windows)91# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/9293# Basic usage94vol -f memory.raw <plugin>9596# With symbol path97vol -f memory.raw -s /path/to/symbols windows.pslist98```99100### Essential Plugins101102#### Process Analysis103```bash104# List processes105vol -f memory.raw windows.pslist106107# Process tree (parent-child relationships)108vol -f memory.raw windows.pstree109110# Hidden process detection111vol -f memory.raw windows.psscan112113# Process memory dumps114vol -f memory.raw windows.memmap --pid <PID> --dump115116# Process environment variables117vol -f memory.raw windows.envars --pid <PID>118119# Command line arguments120vol -f memory.raw windows.cmdline121```122123#### Network Analysis124```bash125# Network connections126vol -f memory.raw windows.netscan127128# Network connection state129vol -f memory.raw windows.netstat130```131132#### DLL and Module Analysis133```bash134# Loaded DLLs per process135vol -f memory.raw windows.dlllist --pid <PID>136137# Find hidden/injected DLLs138vol -f memory.raw windows.ldrmodules139140# Kernel modules141vol -f memory.raw windows.modules142143# Module dumps144vol -f memory.raw windows.moddump --pid <PID>145```146147#### Memory Injection Detection148```bash149# Detect code injection150vol -f memory.raw windows.malfind151152# VAD (Virtual Address Descriptor) analysis153vol -f memory.raw windows.vadinfo --pid <PID>154155# Dump suspicious memory regions156vol -f memory.raw windows.vadyarascan --yara-rules rules.yar157```158159#### Registry Analysis160```bash161# List registry hives162vol -f memory.raw windows.registry.hivelist163164# Print registry key165vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"166167# Dump registry hive168vol -f memory.raw windows.registry.hivescan --dump169```170171#### File System Artifacts172```bash173# Scan for file objects174vol -f memory.raw windows.filescan175176# Dump files from memory177vol -f memory.raw windows.dumpfiles --pid <PID>178179# MFT analysis180vol -f memory.raw windows.mftscan181```182183### Linux Analysis184185```bash186# Process listing187vol -f memory.raw linux.pslist188189# Process tree190vol -f memory.raw linux.pstree191192# Bash history193vol -f memory.raw linux.bash194195# Network connections196vol -f memory.raw linux.sockstat197198# Loaded kernel modules199vol -f memory.raw linux.lsmod200201# Mount points202vol -f memory.raw linux.mount203204# Environment variables205vol -f memory.raw linux.envars206```207208### macOS Analysis209210```bash211# Process listing212vol -f memory.raw mac.pslist213214# Process tree215vol -f memory.raw mac.pstree216217# Network connections218vol -f memory.raw mac.netstat219220# Kernel extensions221vol -f memory.raw mac.lsmod222```223224## Analysis Workflows225226### Malware Analysis Workflow227228```bash229# 1. Initial process survey230vol -f memory.raw windows.pstree > processes.txt231vol -f memory.raw windows.pslist > pslist.txt232233# 2. Network connections234vol -f memory.raw windows.netscan > network.txt235236# 3. Detect injection237vol -f memory.raw windows.malfind > malfind.txt238239# 4. Analyze suspicious processes240vol -f memory.raw windows.dlllist --pid <PID>241vol -f memory.raw windows.handles --pid <PID>242243# 5. Dump suspicious executables244vol -f memory.raw windows.pslist --pid <PID> --dump245246# 6. Extract strings from dumps247strings -a pid.<PID>.exe > strings.txt248249# 7. YARA scanning250vol -f memory.raw windows.yarascan --yara-rules malware.yar251```252253### Incident Response Workflow254255```bash256# 1. Timeline of events257vol -f memory.raw windows.timeliner > timeline.csv258259# 2. User activity260vol -f memory.raw windows.cmdline261vol -f memory.raw windows.consoles262263# 3. Persistence mechanisms264vol -f memory.raw windows.registry.printkey \265 --key "Software\Microsoft\Windows\CurrentVersion\Run"266267# 4. Services268vol -f memory.raw windows.svcscan269270# 5. Scheduled tasks271vol -f memory.raw windows.scheduled_tasks272273# 6. Recent files274vol -f memory.raw windows.filescan | grep -i "recent"275```276277## Data Structures278279### Windows Process Structures280281```c282// EPROCESS (Executive Process)283typedef struct _EPROCESS {284 KPROCESS Pcb; // Kernel process block285 EX_PUSH_LOCK ProcessLock;286 LARGE_INTEGER CreateTime;287 LARGE_INTEGER ExitTime;288 // ...289 LIST_ENTRY ActiveProcessLinks; // Doubly-linked list290 ULONG_PTR UniqueProcessId; // PID291 // ...292 PEB* Peb; // Process Environment Block293 // ...294} EPROCESS;295296// PEB (Process Environment Block)297typedef struct _PEB {298 BOOLEAN InheritedAddressSpace;299 BOOLEAN ReadImageFileExecOptions;300 BOOLEAN BeingDebugged; // Anti-debug check301 // ...302 PVOID ImageBaseAddress; // Base address of executable303 PPEB_LDR_DATA Ldr; // Loader data (DLL list)304 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;305 // ...306} PEB;307```308309### VAD (Virtual Address Descriptor)310311```c312typedef struct _MMVAD {313 MMVAD_SHORT Core;314 union {315 ULONG LongFlags;316 MMVAD_FLAGS VadFlags;317 } u;318 // ...319 PVOID FirstPrototypePte;320 PVOID LastContiguousPte;321 // ...322 PFILE_OBJECT FileObject;323} MMVAD;324325// Memory protection flags326#define PAGE_EXECUTE 0x10327#define PAGE_EXECUTE_READ 0x20328#define PAGE_EXECUTE_READWRITE 0x40329#define PAGE_EXECUTE_WRITECOPY 0x80330```331332## Detection Patterns333334### Process Injection Indicators335336```python337# Malfind indicators338# - PAGE_EXECUTE_READWRITE protection (suspicious)339# - MZ header in non-image VAD region340# - Shellcode patterns at allocation start341342# Common injection techniques343# 1. Classic DLL Injection344# - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread345346# 2. Process Hollowing347# - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory348349# 3. APC Injection350# - QueueUserAPC targeting alertable threads351352# 4. Thread Execution Hijacking353# - SuspendThread + SetThreadContext + ResumeThread354```355356### Rootkit Detection357358```bash359# Compare process lists360vol -f memory.raw windows.pslist > pslist.txt361vol -f memory.raw windows.psscan > psscan.txt362diff pslist.txt psscan.txt # Hidden processes363364# Check for DKOM (Direct Kernel Object Manipulation)365vol -f memory.raw windows.callbacks366367# Detect hooked functions368vol -f memory.raw windows.ssdt # System Service Descriptor Table369370# Driver analysis371vol -f memory.raw windows.driverscan372vol -f memory.raw windows.driverirp373```374375### Credential Extraction376377```bash378# Dump hashes (requires hivelist first)379vol -f memory.raw windows.hashdump380381# LSA secrets382vol -f memory.raw windows.lsadump383384# Cached domain credentials385vol -f memory.raw windows.cachedump386387# Mimikatz-style extraction388# Requires specific plugins/tools389```390391## YARA Integration392393### Writing Memory YARA Rules394395```yara396rule Suspicious_Injection397{398 meta:399 description = "Detects common injection shellcode"400401 strings:402 // Common shellcode patterns403 $mz = { 4D 5A }404 $shellcode1 = { 55 8B EC 83 EC } // Function prologue405 $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } // Push hash, call406407 condition:408 $mz at 0 or any of ($shellcode*)409}410411rule Cobalt_Strike_Beacon412{413 meta:414 description = "Detects Cobalt Strike beacon in memory"415416 strings:417 $config = { 00 01 00 01 00 02 }418 $sleep = "sleeptime"419 $beacon = "%s (admin)" wide420421 condition:422 2 of them423}424```425426### Scanning Memory427428```bash429# Scan all process memory430vol -f memory.raw windows.yarascan --yara-rules rules.yar431432# Scan specific process433vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234434435# Scan kernel memory436vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel437```438439## String Analysis440441### Extracting Strings442443```bash444# Basic string extraction445strings -a memory.raw > all_strings.txt446447# Unicode strings448strings -el memory.raw >> all_strings.txt449450# Targeted extraction from process dump451vol -f memory.raw windows.memmap --pid 1234 --dump452strings -a pid.1234.dmp > process_strings.txt453454# Pattern matching455grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt456```457458### FLOSS for Obfuscated Strings459460```bash461# FLOSS extracts obfuscated strings462floss malware.exe > floss_output.txt463464# From memory dump465floss pid.1234.dmp466```467468## Best Practices469470### Acquisition Best Practices4714721. **Minimize footprint**: Use lightweight acquisition tools4732. **Document everything**: Record time, tool, and hash of capture4743. **Verify integrity**: Hash memory dump immediately after capture4754. **Chain of custody**: Maintain proper forensic handling476477### Analysis Best Practices4784791. **Start broad**: Get overview before deep diving4802. **Cross-reference**: Use multiple plugins for same data4813. **Timeline correlation**: Correlate memory findings with disk/network4824. **Document findings**: Keep detailed notes and screenshots4835. **Validate results**: Verify findings through multiple methods484485### Common Pitfalls486487- **Stale data**: Memory is volatile, analyze promptly488- **Incomplete dumps**: Verify dump size matches expected RAM489- **Symbol issues**: Ensure correct symbol files for OS version490- **Smear**: Memory may change during acquisition491- **Encryption**: Some data may be encrypted in memory492
Full transparency — inspect the skill content before installing.