icon

Memory Forensics

Last modified: 2024-07-28

Memory Forensics is the analysis of the volatile memory, mainly Random Access Memory (RAM). There are various memory capture file formats like .bin, .mem, .raw, .sav, .vmem.

Volatility

Volatility is an useful tool for memory forensics.
If you use a Debian based operating system, you can install using apt.

sudo apt install volatility3

# Confirm if download successfully
vol -h

However, it’s recommended to download it from the GitHub repository if you want the latest stable version.


Target: Common

# Print banner
val -f example.vmem banner

Target: Linux

# List processes
vol -f example.vmem linux.pslist.PsList

# List process memory ranges that potentially contain injected code
vol -f example.vmem linux.malfind.Malfind

Target: Windows

# Determine the operating system
vol -f example.vmem windows.info

# Dump password hashes
vol -f example.vmem windows.hashdump

# Print command line history
vol -f example.vmem windows.cmdline.CmdLine

# List all of the processes
vol -f example.vmem windows.pslist
# Scan processes.
vol -f example.vmem windows.psscan.PsScan
# List processes in a tree based on their parent process ID.
vol -f example.vmem windows.pstree.PsTree

# Lists hidden processes
vol -f example.vmem windows.ldrmodules

# Scans for network objects present in a particular windows memory image.
vol -f example.vmem windows.netscan.NetScan

# Scan for file objects present in a Windows memory image.
vol -f example.vmem windows.filescan.FileScan
vol -f example.vmem windows.filescan.FileScan | grep <keyword>

# Scan for MFT file objects present in a Windows memory image.
vol -f example.vmem windows.mftscan.MFTScan

# Lists process memory ranges that potentially contain injected code.
vol -f example.vmem windows.malfind.Malfind
# Dumps
vol -f example.vmem -o dumps windows.malfind.Malfind --dump

# Lists the loaded modules in a particular windows memory image.
vol -f example.vmem windows.dlllist.DllList
# Specifies PID
vol -f example.vmem windows.dlllist.DllList --pid <PID>
# Dumps
vol -f example.vmem -o dumps windows.dlllist.DllList --dump

# Dump files
mkdir dumps
# --pid: PID of the targets is found by pslist
vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --pid <target-process-id>
vol -f example.vmem -o dumps windows.dumpfiles.DumpFiles --physaddr <address-of-target-file>

Redline

Redline is an endpoint security tool which provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile.