Memory Forensics in Action Using Volatility

By Meravytes | October 26, 2025

Introduction

In today’s digital landscape, malicious actors increasingly leverage advanced techniques to compromise systems, evade detection, and persist in memory. Traditional disk-based forensics may not always capture volatile evidence such as running processes, network connections, or injected code. This is where memory forensics plays a critical role. By analyzing the contents of system memory (RAM), investigators can uncover malware, hidden processes, encryption keys, and other artifacts that would otherwise vanish after a reboot.

Among the most widely used frameworks for memory forensics is Volatility, an open-source tool that provides deep insight into live memory images. This article explores how Volatility can be applied in real-world investigations, highlighting key techniques and workflows.

1. Why Memory Forensics?

Unlike static forensic approaches that focus on persistent data on disk, memory forensics offers several advantages:

• Uncover hidden malware: Rootkits and in-memory payloads often do not touch disk.
• Reveal system state at compromise: Running processes, open files, and active network sockets provide valuable context.
• Extract encryption keys and passwords: Sensitive data may reside in RAM, even if encrypted on disk.
• Correlate user activity: From command history to clipboard contents, memory can hold crucial traces.

2. Volatility Framework Overview

Volatility is a Python-based framework that supports a wide range of plugins to parse memory images from Windows, Linux, Mac, and Android systems. Its modular design allows investigators to extract evidence from different memory structures and correlate findings.

Key features:

• Plugin-based extensibility
• Support for multiple OS versions and memory formats
• Community-driven and regularly updated
• Ability to detect rootkits and hidden injections

3. Workflow: Memory Forensics with Volatility

1. Acquiring the Memory Image

The first step is capturing a raw dump of RAM. Tools such as FTK Imager, DumpIt, or LiME (Linux Memory Extractor) can be used. It’s critical to ensure the acquisition is forensically sound and verified via hashing.
Example:

md5sum memdump.raw

2. Identifying the Memory Profile

Before running analysis, Volatility requires specifying the OS profile of the memory dump.

volatility -f memdump.raw imageinfo

This plugin suggests possible profiles, e.g., Win7SP1x64.

3. Process Enumeration

A common first step is checking for suspicious or hidden processes:

volatility -f memdump.raw --profile=Win7SP1x64 pslist

For hidden processes, compare with:

volatility -f memdump.raw --profile=Win7SP1x64 psscan

4. DLL and Handles Inspection

To spot injected malware or anomalous libraries:

volatility -f memdump.raw --profile=Win7SP1x64 dlllist -p [PID]

Handles can reveal hidden files, registry keys, or sockets:

volatility -f memdump.raw --profile=Win7SP1x64 handles -p [PID]

5. Network Connections

For live attack detection:

volatility -f memdump.raw --profile=Win7SP1x64 netscan

This provides active TCP/UDP connections, listening ports, and owning processes.

6. Extracting Artifacts

Dumping executables for malware analysis:

volatility -f memdump.raw --profile=Win7SP1x64 procdump -p [PID] -D output/

Dumping registry hives to recover system and user settings:

volatility -f memdump.raw --profile=Win7SP1x64 hivelist

7. Detecting Rootkits

Volatility includes plugins to identify stealth techniques like DKOM (Direct Kernel Object Manipulation):

volatility -f memdump.raw --profile=Win7SP1x64 malfind

4. Universal Preliminaries

a. Legal / authorization

Ensure written authorization (PO, warrant, incident response agreement). Only analyse images you are allowed to.

b. Environment

• Work on an isolated analysis VM (air-gapped when possible).
• Use a copy of the image; never modify originals.
• Tools: Volatility v2 (common), Volatility3 (newer), Rekall, YARA, strings, grep, IDA/Ghidra, Wireshark.

c. Hash & record

Immediately compute hashes for original image and working copies:

sha256sum memdump.raw > memdump.raw.sha256 md5sum memdump.raw > memdump.raw.md5

Record acquisition method, date/time (UTC), operator, host where image is stored — for chain of custody.

d. Quick sanity checks

• File size, file type: file memdump.rawls -lh
memdump.raw strings
memdump.raw | head -n 100
• Run volatility -f memdump.raw imageinfo and volatility -f memdump.raw --info to inspect plugin availability.

e. General triage priorities

• Profile / OS detection (imageinfo, banner)
• Process listing and hidden-process detection
• Network connections
• Dump suspicious process memory/binaries
• Registry (Windows) / configs (Linux/macOS) and credential retrieval
• Kernel modules & hooks (rootkits)
• Timeline + correlation with disk/network logs

5. Windows Forensics

5.1. Quick Reference — Core Commands

Process & Memory

• pslist — List processes
• psscan — Scan for hidden/terminated processes
• pstree — Process parent/child tree
• psxview — Cross-check hidden processes
• cmdline — Process command-line arguments
• consoles — Command history
• environ — Environment variables
• getsids -p [PID] — Get process SIDs

DLLs & Handles

• dlllist -p [PID] — DLLs loaded by process
• ldrmodules — Loaded/unloaded DLLs
• handles -p [PID] — Open handles (files, registry, sockets)

Malware Detection & Rootkit Indicators

• malfind — Detect injected code (anonymous RWX regions)
• hollowfind — Detect process hollowing
• apihooks — User-mode API hooks
• ssdt — Kernel SSDT hooks
• modules — Loaded drivers
• modscan — Scan for hidden drivers
• driverirp — Driver IRP activity

Networking

• netscan — Active and recently closed network connections
• connections — Active TCP connections
• connscan — Closed connections
• sockets — Open sockets

Registry & Persistence

• hivelist— Registry hives in memory
• printkey -K [KeyPath]— Print registry key contents
• userassist— Program execution history
• shellbags— Folders accessed
• shimcache— App compatibility cache

Files & Artifacts

• filescan— Scan file objects
• dumpfiles -Q [offset] -D ./out/— Dump file at offset
• procdump -p [PID] -D ./out/— Dump process executable
• memdump -p [PID] -D ./out/— Dump process memory
• clipboard— Extract clipboard contents
• screenshot— Capture GUI

Credentials

• hashdump— Dump password hashes
• lsadump— Extract LSASS secrets (if possible)
• cachedump— Cached domain logons
• mimikatz— Extract credentials (if plugin available)

Timeline & Filesystem

• timeliner— System-wide timeline from memory artifacts
• mftparser— Parse NTFS MFT (use if disk image available)
• prefetchparser— Analyze prefetch files

5.2. Investigation Workflow

a. Acquisition (if needed)

• Tools: DumpIt, WinPmem, FTK Imager, Belkasoft Live RAM Capturer.
• Example (WinPmem): winpmem.exe -o memdump.raw — Immediately hash output.

b. Identify & Orient

• volatility -f memdump.raw imageinfo
• volatility -f memdump.raw kdbgscan
• Choose and validate --profile (test with pslist for sensibility).

c. High-level Triage (fast, low-cost)

• volatility -f memdump.raw --profile=WinX pslist
• volatility -f memdump.raw --profile=WinX psscan
• volatility -f memdump.raw --profile=WinX psxview
• volatility -f memdump.raw --profile=WinX pstree
• Look for: suspicious service names, privileged processes run by user accounts, missing parents, entries in psscan but not pslist.

d. Process Inspection & Extraction

• dlllist -p [PID]
• handles -p [PID]
• cmdline -p [PID]
• procdump -p [PID] -D ./out/ (dump executable)
• memdump -p [PID] -D ./out/ (dump memory)
• Follow-up: run strings, YARA, static analysis, and dynamic analysis in a sandbox on dumped binaries.

e. Detect In-Memory Injection & Rootkits

• malfind
• apihooks
• ssdt
• modscan / modules
• Indicators: anonymous RWX sections, hooks, kernel SSDT modifications, hidden drivers.

f. Network Activity

• netscan (fast; includes owning PID)
• connscan / sockets
• Export CSV for IOC lookups; correlate with firewall and external intel.

g. Registry & Persistence

• hivelist
• printkey -K "Software\\Microsoft\\Windows\\CurrentVersion\\Run"
• userassist, shimcache, shellbags — persistence and user activity indicators.
• Search for scheduled tasks, WMI persistence strings, suspicious service entries.

h. Credentials & Secrets

• lsadump, hashdump, cachedump, mimikatz (if plugin available).
• Handle outputs securely; prefer offline extraction in a controlled environment.

i. File & Artifact Carving

• filescan
• dumpfiles -Q [offset] -D ./extracted/
• clipboard, screenshot
• Dump and hash extracted artifacts.

j. Timeline & Correlation

• timeliner
• Combine memory timeline with disk artifacts, event logs, and network logs to build a cohesive incident timeline.

k. Reporting & Remediation

• Document processes, PIDs, timestamps, network IOCs, extracted binaries & hashes.
• Export evidence with hashes and recommended actions: isolate host, block IOCs, rotate credentials.

5.3. Practical Tips & Notes

• Profile mismatch produces noisy/incorrect output — if imageinfo is inconclusive, try candidate profiles and verify with pslist.
• EDR/AV artifacts: defensive tools often inject DLLs that look suspicious. Validate digital signatures and compare against known EDR artifacts before assuming maliciousness.
• malfind gives offsets — always dump and analyze the region it flags.
• Prefer netscan for quick network triage (shows owning PID and recent closed connections).
• Credential handling: always follow legal/ethical rules and evidence-handling procedures when extracting secrets.
• Use CSV exports for plugin outputs when you need fast IOC pivoting.

6. Linux Forensics

6.1. Quick Reference

Processes

• linux_pslist — Running processes
• linux_psscan — Scan for hidden/terminated processes
• linux_pstree — Parent–child process tree
• linux_psaux — Process command lines

Memory & Modules

• linux_proc_maps -p [PID] — Process memory maps
• linux_proc_maps_rb -p [PID] — Alternate memory maps
• linux_library_list -p [PID] — Shared libraries
• linux_check_modules — Check loaded kernel modules
• linux_lsmod — List kernel modules
• linux_check_syscall — Check syscall table integrity

Files & Sockets

• linux_enumerate_files -p [PID] — Enumerate file descriptors
• linux_lsof — Open files
• linux_netstat — Network sockets
• linux_ifconfig — Network interfaces
• linux_route_cache — Routing table

Users & Credentials

• linux_passwd — Dump /etc/passwd
• linux_shadow_hashes — Extract /etc/shadow hashes
• linux_hashdump — User hashes
• linux_bash — Bash command history
• linux_bash_env — Bash environment variables
• linux_bash_hash — Bash hash table

Miscellaneous

• linux_mount — Mounted filesystems
• linux_dmesg — Kernel dmesg logs
• linux_check_afinfo — Check socket operations

6.2. Investigation Workflow

a. Acquisition

• Tool: LiME (Linux Memory Extractor)
• Example: insmod lime.ko "path=/root/memdump.lime format=raw"
• Always hash output (sha256sum memdump.lime > memdump.lime.sha256).
• Work only on a copy.

b. Identify & Orient

• volatility -f memdump.raw imageinfo
• volatility -f memdump.raw banner (kernel version, distro)
• Linux often doesn’t require --profile; most linux_* plugins work directly.

c. Process Discovery & Hiding

• linux_pslist, linux_psscan, linux_pstree, linux_psaux
• Look for suspicious names, odd parents, hidden processes, or deleted binaries still running.

d. Memory Maps & Injections

• linux_proc_maps -p [PID] / linux_proc_maps_rb -p [PID]
• linux_library_list -p [PID]
• memdump -p [PID] -D ./out/
• Watch for anonymous rwx mappings and libraries from /tmp or /dev/shm.

e. Files & Descriptors

• linux_lsof
• linux_enumerate_files -p [PID]
• linux_filescan + dumpfiles -Q [offset] -D ./extracted/
• Red flag: deleted files still open.

f. Networking & Sockets

• linux_netstat, linux_ifconfig
• linux_check_afinfo (hidden sockets)
• linux_route_cache (routing anomalies)

g. Kernel Modules & Rootkit Checks

• linux_lsmod
• linux_check_modules
• linux_check_syscall
• Suspicious: unsigned modules, modules from /tmp, syscall hooks.

h. User Activity & Credentials

• linux_bash, linux_bash_env, linux_bash_hash
• linux_passwd, linux_shadow_hashes, linux_hashdump
• Search dumps for PEM headers (BEGIN RSA PRIVATE KEY).

i. Persistence & Scheduled Jobs

• Search memory: strings memdump.raw | egrep -i "cron|systemd|rc.local|@reboot"
• Dump crontab/systemd/init files with linux_filescan + dumpfiles.

j. Scanning & Hunting

• linux_yarascan --yara-rules rules.yar
• strings proc_[PID].dmp | egrep -i "http|wget|curl|/tmp|/dev/shm"

k. Timeline & Correlation

• timeliner
• Correlate processes, connections, file creation, logs.

l. Reporting & Remediation

• Document compromised accounts, remote IPs, persistence artifacts.
• Hash all extracted binaries.
• Recommend remediation: rotate SSH keys/passwords, remove malicious modules, patch kernel.

6.3. Practical Tips

• Deleted files still in use are prime evidence — always dump.
• Compare kernel modules (lsmod) to a baseline.
• Many rootkits hook netfilter or syscalls — check linux_check_syscall early.
• Volatility plugin availability varies — use volatility --info to confirm.
• Consider Volatility3 for newer Linux kernel support.
• Always handle credentials securely and legally.

6.4. Red Flags & Indicators

• Anonymous rwx memory regions.
• Processes in psscan but missing from pslist.
• Suspicious remote connections from unusual processes.
• Kernel modules with odd names or missing backing files.
• Deleted files still held open.
• Plaintext keys or credentials in memory.
• Syscall hooks or kernel trampolines.

7. Cross-OS Advanced Tips & Investigative Practices

7.1. YARA, strings & carving

• Use YARA rules for families; run YARA per-process or across the full image:
  volatility -f memdump.raw [os]_yarascan --yara-rules rules.yar
• strings + egrep is a fast initial IOC hunt:
  strings memdump.raw | egrep -i "http|https|@[0-9]+|/tmp|/dev/shm|ssh-rsa|BEGIN RSA PRIVATE KEY"

7.2. Automation & scripting

• Save outputs as CSV or JSON where possible for parsing and building timelines.
• Script common workflows (imageinfo → pslist → netscan → malfind dumps) to speed triage.

7.3. Handling extracted credentials & malware

• Always store credentials and malware samples in a secure evidence repository with access controls.
• Hash and timestamp every extracted artifact.

7.4. Dealing with anti-forensics & EDR

• EDR/AV can inject modules or hooks; maintain a whitelist of known EDR artifacts for your environment.
• Some EDR will crash if you attempt certain actions against its processes; be cautious.

7.5. Kernel-level issues

• If you suspect kernel tampering (rootkit), prioritize psscan vs pslist, modscan/lsmod, and syscall checks.
• Kernel rootkits often require a deeper, sometimes destructive, response — consider live capture of more volatile state if legally allowed.

7.6. Volatility version & plugins

• Volatility v2 uses many OS-specific plugins (linux_, mac_). Volatility3 is newer and changing plugin names — verify volatility --info.
• If a plugin is missing, check community plugins or Rekall which may have alternate implementations.

8. Common Pitfalls & How to Avoid Them

• Wrong profile (Windows): yields nonsense output. Try suggested profiles; if none work, Volatility3 or custom profile may be required.
• Relying on a single plugin: cross-validate (pslist vs psscan vs psxview).
• Mistaking AV/EDR artifacts for malware: verify digital signatures and known vendor DLLs/process names.
• Not hashing extracted artifacts: always hash and log provenance.
• Handling credentials carelessly: treat extracted secrets as highly sensitive evidence.
• Forgetting timestamps context: memory stores timestamps in different formats; normalize to UTC in timelines.

9. Best Practices in Memory Forensics

• Always verify hash values for chain of custody.
• Use multiple plugins for cross-validation.
• Correlate with disk and network forensics for complete context.
• Stay updated with the latest Volatility versions and community plugins.

Conclusion

Memory forensics bridges the gap between traditional static analysis and dynamic live response. With Volatility, investigators gain visibility into volatile evidence, detect stealth malware, and reconstruct attacker behavior. In real-world cyber defense, memory analysis is no longer optional—it’s a necessity.

← Back to Homepage