Memory Forensics
Master memory forensics from acquisition to malware detection
✨ The solution you've been looking for
Verified
Tested and verified by our team
25450 Stars
Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.
memory-forensics
incident-response
malware-analysis
volatility
digital-forensics
debugging
reverse-engineering
cybersecurity
See It In Action
Interactive preview & real-world examples
Live Demo
AI Conversation Simulator
See how users interact with this skill
User Prompt
I have a memory dump from a potentially infected Windows system. Walk me through identifying process injection, extracting the malware payload, and analyzing its network connections using Volatility.
Skill Processing
Analyzing request...
Agent Response
Step-by-step analysis workflow identifying malicious processes, extracting payloads, network IOCs, and persistence mechanisms with specific Volatility commands
Quick Start (3 Steps)
Get up and running in minutes
1
Install
claude-code skill install memory-forensics
claude-code skill install memory-forensics2
Config
3
First Trigger
@memory-forensics helpCommands
| Command | Description | Required Args |
|---|---|---|
| @memory-forensics malware-memory-analysis | Analyze a suspicious memory dump to identify injected code, extract malware artifacts, and understand attack vectors | None |
| @memory-forensics incident-response-investigation | Investigate a security incident by analyzing memory dumps to reconstruct user activity and identify compromise indicators | None |
| @memory-forensics live-memory-acquisition | Guide through proper memory acquisition techniques for different operating systems and environments | None |
Typical Use Cases
Malware Memory Analysis
Analyze a suspicious memory dump to identify injected code, extract malware artifacts, and understand attack vectors
Incident Response Investigation
Investigate a security incident by analyzing memory dumps to reconstruct user activity and identify compromise indicators
Live Memory Acquisition
Guide through proper memory acquisition techniques for different operating systems and environments
Overview
Memory Forensics
Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
Memory Acquisition
Live Acquisition Tools
Windows
1# WinPmem (Recommended)
2winpmem_mini_x64.exe memory.raw
3
4# DumpIt
5DumpIt.exe
6
7# Belkasoft RAM Capturer
8# GUI-based, outputs raw format
9
10# Magnet RAM Capture
11# GUI-based, outputs raw format
Linux
1# LiME (Linux Memory Extractor)
2sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
3
4# /dev/mem (limited, requires permissions)
5sudo dd if=/dev/mem of=memory.raw bs=1M
6
7# /proc/kcore (ELF format)
8sudo cp /proc/kcore memory.elf
macOS
1# osxpmem
2sudo ./osxpmem -o memory.raw
3
4# MacQuisition (commercial)
Virtual Machine Memory
1# VMware: .vmem file is raw memory
2cp vm.vmem memory.raw
3
4# VirtualBox: Use debug console
5vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
6
7# QEMU
8virsh dump <domain> memory.raw --memory-only
9
10# Hyper-V
11# Checkpoint contains memory state
Volatility 3 Framework
Installation and Setup
1# Install Volatility 3
2pip install volatility3
3
4# Install symbol tables (Windows)
5# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/
6
7# Basic usage
8vol -f memory.raw <plugin>
9
10# With symbol path
11vol -f memory.raw -s /path/to/symbols windows.pslist
Essential Plugins
Process Analysis
1# List processes
2vol -f memory.raw windows.pslist
3
4# Process tree (parent-child relationships)
5vol -f memory.raw windows.pstree
6
7# Hidden process detection
8vol -f memory.raw windows.psscan
9
10# Process memory dumps
11vol -f memory.raw windows.memmap --pid <PID> --dump
12
13# Process environment variables
14vol -f memory.raw windows.envars --pid <PID>
15
16# Command line arguments
17vol -f memory.raw windows.cmdline
Network Analysis
1# Network connections
2vol -f memory.raw windows.netscan
3
4# Network connection state
5vol -f memory.raw windows.netstat
DLL and Module Analysis
1# Loaded DLLs per process
2vol -f memory.raw windows.dlllist --pid <PID>
3
4# Find hidden/injected DLLs
5vol -f memory.raw windows.ldrmodules
6
7# Kernel modules
8vol -f memory.raw windows.modules
9
10# Module dumps
11vol -f memory.raw windows.moddump --pid <PID>
Memory Injection Detection
1# Detect code injection
2vol -f memory.raw windows.malfind
3
4# VAD (Virtual Address Descriptor) analysis
5vol -f memory.raw windows.vadinfo --pid <PID>
6
7# Dump suspicious memory regions
8vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
Registry Analysis
1# List registry hives
2vol -f memory.raw windows.registry.hivelist
3
4# Print registry key
5vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
6
7# Dump registry hive
8vol -f memory.raw windows.registry.hivescan --dump
File System Artifacts
1# Scan for file objects
2vol -f memory.raw windows.filescan
3
4# Dump files from memory
5vol -f memory.raw windows.dumpfiles --pid <PID>
6
7# MFT analysis
8vol -f memory.raw windows.mftscan
Linux Analysis
1# Process listing
2vol -f memory.raw linux.pslist
3
4# Process tree
5vol -f memory.raw linux.pstree
6
7# Bash history
8vol -f memory.raw linux.bash
9
10# Network connections
11vol -f memory.raw linux.sockstat
12
13# Loaded kernel modules
14vol -f memory.raw linux.lsmod
15
16# Mount points
17vol -f memory.raw linux.mount
18
19# Environment variables
20vol -f memory.raw linux.envars
macOS Analysis
1# Process listing
2vol -f memory.raw mac.pslist
3
4# Process tree
5vol -f memory.raw mac.pstree
6
7# Network connections
8vol -f memory.raw mac.netstat
9
10# Kernel extensions
11vol -f memory.raw mac.lsmod
Analysis Workflows
Malware Analysis Workflow
1# 1. Initial process survey
2vol -f memory.raw windows.pstree > processes.txt
3vol -f memory.raw windows.pslist > pslist.txt
4
5# 2. Network connections
6vol -f memory.raw windows.netscan > network.txt
7
8# 3. Detect injection
9vol -f memory.raw windows.malfind > malfind.txt
10
11# 4. Analyze suspicious processes
12vol -f memory.raw windows.dlllist --pid <PID>
13vol -f memory.raw windows.handles --pid <PID>
14
15# 5. Dump suspicious executables
16vol -f memory.raw windows.pslist --pid <PID> --dump
17
18# 6. Extract strings from dumps
19strings -a pid.<PID>.exe > strings.txt
20
21# 7. YARA scanning
22vol -f memory.raw windows.yarascan --yara-rules malware.yar
Incident Response Workflow
1# 1. Timeline of events
2vol -f memory.raw windows.timeliner > timeline.csv
3
4# 2. User activity
5vol -f memory.raw windows.cmdline
6vol -f memory.raw windows.consoles
7
8# 3. Persistence mechanisms
9vol -f memory.raw windows.registry.printkey \
10 --key "Software\Microsoft\Windows\CurrentVersion\Run"
11
12# 4. Services
13vol -f memory.raw windows.svcscan
14
15# 5. Scheduled tasks
16vol -f memory.raw windows.scheduled_tasks
17
18# 6. Recent files
19vol -f memory.raw windows.filescan | grep -i "recent"
Data Structures
Windows Process Structures
1// EPROCESS (Executive Process)
2typedef struct _EPROCESS {
3 KPROCESS Pcb; // Kernel process block
4 EX_PUSH_LOCK ProcessLock;
5 LARGE_INTEGER CreateTime;
6 LARGE_INTEGER ExitTime;
7 // ...
8 LIST_ENTRY ActiveProcessLinks; // Doubly-linked list
9 ULONG_PTR UniqueProcessId; // PID
10 // ...
11 PEB* Peb; // Process Environment Block
12 // ...
13} EPROCESS;
14
15// PEB (Process Environment Block)
16typedef struct _PEB {
17 BOOLEAN InheritedAddressSpace;
18 BOOLEAN ReadImageFileExecOptions;
19 BOOLEAN BeingDebugged; // Anti-debug check
20 // ...
21 PVOID ImageBaseAddress; // Base address of executable
22 PPEB_LDR_DATA Ldr; // Loader data (DLL list)
23 PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
24 // ...
25} PEB;
VAD (Virtual Address Descriptor)
1typedef struct _MMVAD {
2 MMVAD_SHORT Core;
3 union {
4 ULONG LongFlags;
5 MMVAD_FLAGS VadFlags;
6 } u;
7 // ...
8 PVOID FirstPrototypePte;
9 PVOID LastContiguousPte;
10 // ...
11 PFILE_OBJECT FileObject;
12} MMVAD;
13
14// Memory protection flags
15#define PAGE_EXECUTE 0x10
16#define PAGE_EXECUTE_READ 0x20
17#define PAGE_EXECUTE_READWRITE 0x40
18#define PAGE_EXECUTE_WRITECOPY 0x80
Detection Patterns
Process Injection Indicators
1# Malfind indicators
2# - PAGE_EXECUTE_READWRITE protection (suspicious)
3# - MZ header in non-image VAD region
4# - Shellcode patterns at allocation start
5
6# Common injection techniques
7# 1. Classic DLL Injection
8# - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
9
10# 2. Process Hollowing
11# - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory
12
13# 3. APC Injection
14# - QueueUserAPC targeting alertable threads
15
16# 4. Thread Execution Hijacking
17# - SuspendThread + SetThreadContext + ResumeThread
Rootkit Detection
1# Compare process lists
2vol -f memory.raw windows.pslist > pslist.txt
3vol -f memory.raw windows.psscan > psscan.txt
4diff pslist.txt psscan.txt # Hidden processes
5
6# Check for DKOM (Direct Kernel Object Manipulation)
7vol -f memory.raw windows.callbacks
8
9# Detect hooked functions
10vol -f memory.raw windows.ssdt # System Service Descriptor Table
11
12# Driver analysis
13vol -f memory.raw windows.driverscan
14vol -f memory.raw windows.driverirp
Credential Extraction
1# Dump hashes (requires hivelist first)
2vol -f memory.raw windows.hashdump
3
4# LSA secrets
5vol -f memory.raw windows.lsadump
6
7# Cached domain credentials
8vol -f memory.raw windows.cachedump
9
10# Mimikatz-style extraction
11# Requires specific plugins/tools
YARA Integration
Writing Memory YARA Rules
rule Suspicious_Injection
{
meta:
description = "Detects common injection shellcode"
strings:
// Common shellcode patterns
$mz = { 4D 5A }
$shellcode1 = { 55 8B EC 83 EC } // Function prologue
$api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } // Push hash, call
condition:
$mz at 0 or any of ($shellcode*)
}
rule Cobalt_Strike_Beacon
{
meta:
description = "Detects Cobalt Strike beacon in memory"
strings:
$config = { 00 01 00 01 00 02 }
$sleep = "sleeptime"
$beacon = "%s (admin)" wide
condition:
2 of them
}
Scanning Memory
1# Scan all process memory
2vol -f memory.raw windows.yarascan --yara-rules rules.yar
3
4# Scan specific process
5vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
6
7# Scan kernel memory
8vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
String Analysis
Extracting Strings
1# Basic string extraction
2strings -a memory.raw > all_strings.txt
3
4# Unicode strings
5strings -el memory.raw >> all_strings.txt
6
7# Targeted extraction from process dump
8vol -f memory.raw windows.memmap --pid 1234 --dump
9strings -a pid.1234.dmp > process_strings.txt
10
11# Pattern matching
12grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt
FLOSS for Obfuscated Strings
1# FLOSS extracts obfuscated strings
2floss malware.exe > floss_output.txt
3
4# From memory dump
5floss pid.1234.dmp
Best Practices
Acquisition Best Practices
- Minimize footprint: Use lightweight acquisition tools
- Document everything: Record time, tool, and hash of capture
- Verify integrity: Hash memory dump immediately after capture
- Chain of custody: Maintain proper forensic handling
Analysis Best Practices
- Start broad: Get overview before deep diving
- Cross-reference: Use multiple plugins for same data
- Timeline correlation: Correlate memory findings with disk/network
- Document findings: Keep detailed notes and screenshots
- Validate results: Verify findings through multiple methods
Common Pitfalls
- Stale data: Memory is volatile, analyze promptly
- Incomplete dumps: Verify dump size matches expected RAM
- Symbol issues: Ensure correct symbol files for OS version
- Smear: Memory may change during acquisition
- Encryption: Some data may be encrypted in memory
What Users Are Saying
Real feedback from the community
Environment Matrix
Dependencies
Python 3.6+ (for Volatility 3)
Volatility 3 framework
Symbol tables for target OS versions
YARA 4.0+ (for pattern matching)
FLOSS (for obfuscated string extraction)
Framework Support
Volatility 3 ✓ (recommended)
Volatility 2.x ✓
Rekall ✓
WinDbg ✓
Context Window
Token Usage
~5K-15K tokens for comprehensive analysis workflows
Security & Privacy
Information
- Author
- wshobson
- Updated
- 2026-01-30
- Category
- debugging
Related Skills
Memory Forensics
Master memory forensics techniques including memory acquisition, process analysis, and artifact …
View Details →Binary Analysis Patterns
Master binary analysis patterns including disassembly, decompilation, control flow analysis, and …
View Details →Binary Analysis Patterns
Master binary analysis patterns including disassembly, decompilation, control flow analysis, and …
View Details →