Volatility Memory Forensics: A Walkthrough for IR Teams

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 25, 2026
3 min read

Last updated: April 26, 2026

Volatility is the canonical memory-forensics framework. When an incident hits and the affected host is still running, capturing memory before reboot preserves evidence that disk forensics misses — credentials in process memory, decrypted file contents, network connections, malware artefacts that never touch disk. This article covers the Volatility 3 workflow for incident response, the high-leverage plugins, and the analysis pattern that surfaces malware quickly.

Capturing memory

Before analysis, capture the memory image:

  • Windows: WinPmem, FTK Imager Lite, DumpIt
  • Linux: AVML, LiME (kernel module)
  • VMs: snapshot the VM’s vmem file directly (instant, no agent)

Capture before reboot. Once the host reboots, in-memory artefacts are gone.

Volatility 3 workflow

Volatility 3 (release 2020+) auto-detects OS and kernel symbols, simplifying the workflow vs Volatility 2.

# Install
pip install volatility3

# List processes
vol -f memory.raw windows.pslist

# Pstree (process tree)
vol -f memory.raw windows.pstree

# Network connections
vol -f memory.raw windows.netscan

# Loaded DLLs per process
vol -f memory.raw windows.dlllist --pid 1234

# Search memory for strings
vol -f memory.raw windows.cmdline

# Extract specific process memory
vol -f memory.raw windows.memmap --pid 1234 --dump

The high-leverage plugins

For initial triage

  • windows.pstree — visual process tree. Anomalies stand out (unusual parent-child relationships).
  • windows.netscan — network connections at capture time. Outbound to suspicious IPs is immediate forensic value.
  • windows.cmdline — command line of every process. Encoded PowerShell, base64 commands, anything weird.

For credential extraction

  • windows.hashdump — local SAM hashes from memory.
  • windows.lsadump — LSA secrets (cached domain credentials, service account passwords).
  • windows.cachedump — cached domain credentials.

For malware hunting

  • windows.malfind — finds memory regions with executable permissions and no associated file (process injection signature).
  • windows.modules + windows.modscan — kernel modules; rootkits often hide here.
  • yarascan with malware signatures.

For lateral movement traces

  • windows.sessions — logged-on users and sessions.
  • windows.handles — file/registry handles per process; identifies what files a malicious process touched.

Analysis pattern

  1. Get oriented. pstree + netscan. Identify processes that look anomalous.
  2. Investigate suspicious processes. cmdline for full command, dlllist for loaded modules, handles for file activity.
  3. Extract suspicious binaries. windows.dumpfiles --pid X writes files to disk for static analysis.
  4. YARA scan. Run community / commercial YARA rules against memory.
  5. Correlate with disk artefacts — file timestamps, registry modifications, scheduled tasks.
  6. Document findings for the incident report.

Real-world example

An Indian fintech IR engagement: ransomware encrypted production. Captured memory pre-reboot. Volatility analysis showed:

  • pstree: cmd.exe spawned by winword.exe — clearly anomalous (Word doesn’t legitimately spawn cmd).
  • cmdline: cmd.exe showed Base64-encoded PowerShell that decoded to a Cobalt Strike loader.
  • netscan: outbound HTTPS to cdn-static-static.com — known C2 domain.
  • malfind: identified RWX memory regions in spoolsv.exe — process injection.

From memory dump to root-cause conclusion (phishing email with macro-enabled docx → PowerShell loader → Cobalt Strike → ransomware) in 4 hours.

Compliance angle

  • RBI Cyber Framework — incident response capability with forensic depth.
  • SEBI CSCRF — IR playbook that includes memory capture procedure.
  • DPDP §8(6) — breach notification often requires forensic evidence of scope.

The takeaway

Memory forensics is one of the highest-leverage IR skills. Volatility’s plugin set covers most malware artefacts. The workflow is repeatable — pstree, netscan, cmdline, then deep-dive — and produces evidence for board-level reporting. Practice on retired servers; have the runbook ready before the incident.

Worried about your exposure?

Get a free attack-surface review

We check what an attacker would see about your business — leaked credentials, exposed services, dark-web mentions. 30 minutes, no obligation.

Book exposure review Replies in 4 working hrs · India-only · Senior consultants