Category: Memory (RAM) Forensics

Hello, aspiring Cyber Forensic Investigators. In our previous blogpost, you learnt in detail about digital forensics. In this article, you will learn about Memory Forensics. When most people think about digital forensics, they imagine hard drives, deleted files and disk images. While disk forensics is still important, many modern attacks leave their most valuable evidence somewhere else entirely—in system memory (RAM). This is where memory forensics comes in.

It focuses on analyzing volatile memory to understand what was happening on a system while it was running. For beginners, it can feel intimidating, but the core ideas are easier than they appear to be.

What Is Memory Forensics?

Memory forensics is the process of capturing and analyzing the contents of a system’s RAM to identify malicious activity, suspicious processes or any other unauthorized behavior. RAM contains data that never gets written to disk or only exists briefly, such as running processes, active network connections, encryption keys and injected code.

To put it simply, unlike disk forensics, which looks at what was stored, it looks at what was happening right now or just moments ago.

Why Memory Forensics Is Important?

Modern attacks often avoid writing files to disk. Instead, attackers rely on:

• In-memory malware
• Credential theft from running processes
• Fileless attacks using built-in tools
• Living-off-the-land techniques

If you only analyze the disk, you may completely miss these activities. Memory analysis helps investigators answer questions like:

• What processes were running?
• Was malicious code was injected into a legitimate process?
• Were there suspicious network connections?
• Were credentials present in memory?

For incident response, memory evidence is often the most time-sensitive and most revealing.

What Kind of Data Lives in RAM?

For beginners, it is very helpful to know what data RAM typically contains. It contains,

• Running processes – active programs and services
• Loaded modules and DLLs – libraries used by processes
• Network connections – open sockets and connections
• Command history – commands executed in shells
• Credentials and tokens – sometimes present in memory
• Injected or hidden code – common in advanced attacks

Not all of this data is always present, but memory analysis helps reveal relationships that disk analysis cannot.

Memory Forensics vs Disk Forensics

Understanding the difference between disk and memory forensics is critical. Here are the differences between them.

Disk Forensics:

• Focuses on files and file systems
• Evidence is persistent
• Slower to change
• Good for historical analysis

Memory Forensics:

• Focuses on processes and activity
• Evidence is volatile
• Changes constantly
• Best for live or recent incidents

Both approaches complement each other. Memory forensics rarely replaces disk forensics. It adds context and visibility.

Common Tools Used In Memory Forensics

One of the most widely used tools for memory analysis is Volatility Framework. It allows investigators to extract structured information from memory dumps, such as process lists, network connections and injected code. Other tools and frameworks exist, but beginners should focus on learning:

• How memory dumps are captured
• How analysis tools interpret operating system structures
• How to correlate memory findings with logs and disk evidence

The goal is to understand concepts, not memorize commands.

Typical Memory Forensics Workflow

A simplified beginner workflow of memory analysis looks like this:

1. Capture memory from a live system (before shutdown if possible)
2. Identify the operating system and profile
3. Analyze running processes
4. Review network connections and handles
5. Look for anomalies (hidden processes, unusual parent-child relationships)
6. Document findings and correlate with other evidence

Each step builds context rather than relying on a single indicator.

Challenges in Memory Forensics

This forensics comes with some real challenges. They are,

• Volatility of data: Once the system shuts down, RAM is gone
• Large data size: Memory dumps can be several gigabytes
• Complex output: Tools return technical results that require interpretation
• False positives: Not every unusual artifact is malicious

These challenges are normal. Beginners should focus on patterns and behavior, not perfection.

Best Practices for Beginners

If you’re new to memory forensics, you should always keep these principles in mind:

• Capture memory early during incidents
• Preserve original dumps and work on copies
• Correlate memory findings with logs and disk evidence
• Document assumptions and limitations
• Practice using labs, not real systems

Remember that this is a skill built through repetition and observation.

Conclusion

As attacks increasingly target identity, credentials and live processes, memory forensics has become a core DFIR skill. It is especially important in:

• Incident response
• Malware analysis
• Threat hunting
• Advanced investigations

For beginners, learning memory forensics also builds stronger understanding of operating systems and process behavior, which benefits both red and blue team roles. It teaches investigators to look beyond files and focus on live system behavior. While it may seem complex at first, the fundamentals are straightforward: capture memory, analyze activity and reconstruct what happened. In a world of fileless attacks and in-memory threats, memory forensics is no longer optional. it is an essential part of modern digital investigations.

Hello, aspiring Cyber Forensic Investigators. In our previous blogpost on Computer Forensics, you learnt about different types of forensics. In this article, you will learn about Volatility, a memory forensics tool. In modern digital forensics and incident response, analyzing volatile memory (RAM) has become just as important as examining hard drives to detect malware, running processes, encryption keys, open network connections etc. However, In-memory (RAM) artifacts often disappear the moment a system is powered off. This is where Volatility, the most widely used open-source memory forensics framework, becomes indispensable.

Whether you’re investigating malware, analyzing a compromised system or learning how attackers hide in memory, Volatility provides deep visibility into live system activity. In this beginners guide, we’ll explore what Volatility is, why it matters and how to start using it with practical commands that you can try in your forensic lab.

What is Volatility?

Volatility is an open-source memory forensics toolkit used to analyze RAM captures from Windows, Linux, macOS and Android systems. It allows cyber forensics investigators to extract information like,

• Running processes
• Loaded DLLs
• Network connections
• Registry hives
• Command history
• Browser artifacts
• Malware including rootkits
• Kernel modules
• Encryption keys
• Hidden or injected code

Volatility works with many memory image formats that include:

• Raw (.dd, .img)
• EWF (E01)
• Lime
• Crash dumps
• Hibernation files

Volatility is widely used by SOC teams, IR analysts, DFIR experts and forensic students because it exposes what was actually happening on a live machine even after the system is turned off.

Installing Volatility

Most forensic Linux distros include Volatility by default, but you can install it on Ubuntu/Kali with:

sudo apt update
sudo apt install volatility

Or for Volatility 3 (newer version):

pip install volatility3

For beginners, using Volatility 2 is easier due to its extensive plugin support.

Step-by-step guide for beginners

Let’s walk you through a step-by-setp guide for beginners to use this tool.

STEP 1: Identify the Image Profile

Before Volatility can start analyzing RAM, it needs to know the OS version and architecture running on target system. This can be detected using the command shown below.

volatility -f memory.img imageinfo

This output suggests profiles as given below:

Win7SP1x64
Win10x64

Pick the closest match from the output and use it while using all further commands.

STEP 2: List Running Processes

One of the first steps in memory forensics is to view what processes were active. The command shown below will reveal that information to us.

volatility -f memory.img --profile=Win7SP1x64 pslist

It will reveal information like:

• Process IDs
• Parent processes
• Timestamps

You can spot suspicious processes such as “cmd.exe” running under “explorer.exe”.

To identify hidden/unlinked processes, we should use command shown below.

volatility -f memory.img --profile=Win7SP1x64 psscan

If “psscan” finds a process missing from “pslist”, it may indicate malware or rootkit activity.

STEP 3: List Loaded DLLs

Malware often loads suspicious DLLs. These can be detected using Volatility as shown below.

volatility -f memory.img --profile=Win7SP1x64 dlllist

You should be looking for DLLs:

• Loaded from unusual directories
• With random names
• Not signed by known vendors

STEP 4: Check Network Connections

Network activity in RAM is also extremely valuable for incident response. To view the active network connections, use command shown below.

volatility -f memory.img --profile=Win7SP1x64 netscan

Using the above command, you can identify:

• External IP addresses the machine communicated with
• Ports used for C2 (Command & Control)
• Suspicious outbound connections

STEP 5: Extract Command History

Attackers frequently use PowerShell, cmd.exe or bash while hacking. We can use Volatility to recover parts of the command history.

For Windows CMD:

volatility -f memory.img --profile=Win7SP1x64 cmdscan

For consoles created by applications:

volatility -f memory.img --profile=Win7SP1x64 consoles

For PowerShell commands (Volatility 3 plugin):

volatility3 -f memory.img windows.shellbags

STEP 6: Dump a Process

Dumping a process helps us in malware analysis. First, dentify the PID of a suspicious process using “pslist” command and then dump it using command shown below.

volatility -f memory.img --profile=Win7SP1x64 procdump -p 1234 -D output/

You can then analyze the dumped file with tools like:

• Strings
• YARA
• Static AV engines
• Other reverse engineering tools

STEP 7: Extract Browser Artifacts

Volatility can also extract browsing history, cookies and even parts of open web sessions. For example, you want to extract browsing history, you can use command:

volatility -f memory.img --profile=Win7SP1x64 iehistory

For browsing history in Chrome (Volatility 3 plugin):

volatility3 -f memory.img windows.chromehistory

Importance of Volatility

1. Provides visibility unavailable in disk forensics

RAM contains live system data that never touches the disk. So attackers often execute their malicious code in RAM to stay undetected. Volatility provides visibility to this information.

2. Excellent for malware and rootkit investigations

Even the most stealthy malware typically leaves traces in memory. So, this tool plays a role here too.

3. Cross-platform support

Volatility supports RAM capture on Windows, Linux, macOS and Android.

4. Massive plugin ecosystem

Volatility has hundreds of plugins that allow deep and specialized analysis.

5. Open-source and trusted in DFIR

It is open-source and used by government agencies, SOC teams and forensic labs worldwide.

Conclusion

Volatility is one of the most important tools in the world of digital forensics and incident response. For beginners, it offers a hands-on way to learn how processes, DLLs, memory structures and malware operate behind the scenes. By mastering simple commands like “pslist”, “netscan”, “dlllist, and “procdump”, you gain a powerful skill set that can help uncover intrusions and understand attacker behavior. Whether you’re a student, a threat hunter or an aspiring DFIR analyst, Volatility is a tool you’ll use throughout your career.