Memory forensics is the discipline of examining volatile memory (RAM) to find evidence that disk-only forensics miss. Credentials cached in memory, in-memory malware, injected code, encrypted traffic plaintext — all live only in RAM. This module covers the tooling and workflow.

Why memory forensics

Traditional disk forensics recovers files, logs, persistence. Memory adds:

Process list at incident time (including hidden processes)
Loaded DLLs / injected code
Open network connections (past + present)
Recently-used credentials (LSASS-style secrets, SSH keys, passphrases)
Decrypted plaintext of TLS / VPN traffic (if session was active)
Malware that never touches disk (fileless)
Command history from memory-resident shells

Acquisition — getting RAM out

Windows

DumpIt — single-binary full-memory dumper
WinPmem — open-source, reliable
Microsoft LiveKD / kd — for kernel debugging scenarios
Hibernation file — hiberfil.sys contains compressed RAM dump
Crash dump — MEMORY.DMP from kernel crashes

Linux

LiME (Linux Memory Extractor) — kernel module for RAM acquisition
/dev/mem — on older kernels (restricted in modern)
/proc/kcore — kernel memory image
AVML (Azure-developed) — modern portable acquisition tool

Cloud / EC2

AWS SSM Run Command — run DumpIt/LiME/AVML remotely without console access
AWS EC2 GetConsoleScreenshot — NOT memory, but visible console
Live snapshot of EBS — disk only, not memory. Memory requires running tool inside the instance

Analysis — Volatility3

Volatility is the de facto open-source memory analysis framework. Version 3 is the current actively-maintained branch.

# Identify memory image profile
vol.py -f memory.dump windows.info

# Process list
vol.py -f memory.dump windows.pslist
vol.py -f memory.dump windows.pstree

# Find hidden/unlinked processes (rootkit detection)
vol.py -f memory.dump windows.psscan
vol.py -f memory.dump windows.psxview

# Network connections
vol.py -f memory.dump windows.netstat
vol.py -f memory.dump windows.netscan

# Loaded DLLs
vol.py -f memory.dump windows.dlllist

# Command-line history
vol.py -f memory.dump windows.cmdline

# Registry hives + recently-accessed keys
vol.py -f memory.dump windows.registry.printkey

# Extract password hashes (LSASS)
vol.py -f memory.dump windows.hashdump

# Find suspicious processes
vol.py -f memory.dump windows.malfind

# Extract files found in memory
vol.py -f memory.dump windows.dumpfiles --pid PID

Linux equivalent commands

vol.py -f lime.dump linux.pslist
vol.py -f lime.dump linux.pstree
vol.py -f lime.dump linux.bash  # command history
vol.py -f lime.dump linux.check_modules  # kernel modules
vol.py -f lime.dump linux.sockstat  # network
vol.py -f lime.dump linux.lsof

What to look for

Processes not in expected parent chain — cmd.exe spawned by Outlook = macro malware
Unusual network connections — outbound to unknown IPs, unusual ports
Hollowed / injected processes — svchost.exe running code not normally expected
Unlinked processes — rootkits hide by unlinking from process lists; psscan finds them anyway
Command-line arguments — PowerShell with encoded commands, curl to pastebin, certutil downloading
In-memory strings — credentials, URLs, passphrases, TLS session keys

Anti-forensics and evasion

Sophisticated attackers evade memory forensics:

Process hollowing (modified code in legitimate process)
Reflective DLL loading (never on disk)
DKOM (Direct Kernel Object Manipulation) to hide from APIs
Anti-debug / anti-VM tricks

Counter: use psscan vs pslist (find rootkit-hidden processes), malfind (suspicious memory regions), check for memory regions with PAGE_EXECUTE_READWRITE without backing file.

Practitioner workflow

Acquire memory image (physical or via agent)
Compute hash — preserve chain of custody
Store in evidence vault with access controls
Use Volatility3 to enumerate processes, network, loaded modules
Flag anomalies; cross-reference with disk evidence + CloudTrail/network logs
Extract IOCs (IPs, hashes, filenames, techniques)
Document findings in incident report

Quick reference summary

Memory forensics captures volatile state (processes, network, credentials, injected code)
Acquisition: DumpIt / WinPmem / LiME / AVML
Analysis: Volatility3 — pslist, psscan, netstat, malfind, hashdump, dumpfiles
Cloud: SSM Run Command to execute acquisition tool remotely
Look for: process anomalies, injected code, unlinked processes, unusual network, in-memory credentials
Preserve chain of custody: hash + access-controlled storage
Combine with disk forensics + network logs + CloudTrail for complete picture

🧠

Check your understanding

Module Quiz · 20 questions

Pass with 70%+ to mark this module complete. Unlimited retries. Each question shows an explanation.

🔐 Advanced Module · Pro Tier

Continue reading with Pro tier (₹4,999/year)

You've read 43% of this module. Unlock the remaining deep-dive, quiz, and every other Advanced/Expert module.

136+ modulesAll levels up to this tier

20-question quizzesUnlimited retries with explanations

Completion certificatesShareable on LinkedIn

See pricing → Sign in

1 more section locked below

Module 6 · Memory Forensics 🔒