Memory Forensics

RAM memory forensic analysis represents a critical and specialized discipline within digital investigation, focused on extracting and analyzing volatile data that exists only while the system is running. Unlike traditional disk forensics, which examines persistent data stored on hard drives or SSDs, memory forensics captures the exact state of the system at the moment of acquisition, revealing running processes, active network connections, in-memory credentials, cryptographic keys, fileless malware, and artifacts that sophisticated attackers deliberately leave only in RAM to evade detection. This technique has become indispensable in investigating advanced threats (APTs), modern ransomware, and attacks that use living-off-the-land techniques, where intruders operate exclusively in memory using legitimate operating system tools. The time window for collection is critical: once the system is shut down, rebooted, or enters hibernation mode, these volatile artifacts are irretrievably lost, making the speed and methodology of acquisition determining factors for the success of the forensic investigation.

Why Memory Forensics

Volatile artifacts are lost at shutdown. Memory contains:

  • Running processes: Fileless malware, code injections
  • Network connections: C2 active connections, open sockets
  • Credentials: Plaintext passwords, cached NTLM hashes
  • Cryptography: Encryption keys in memory
  • Registry hives: Unpersisted modifications
  • Handles and DLLs: Injections, hooking, rootkits

Memory Acquisition

Acquisition Tools

  • FTK Imager: Free AccessData tool, graphical interface
  • DumpIt: Portable one-line executable, fast
  • WinPmem: Open-source, supports kernel memory acquisition
  • Magnet RAM Capture: Free tool, easy to use
  • LiME (Linux): Loadable Kernel Module for Linux systems
  • Belkasoft RAM Capturer: Works even with anti-dumping

Acquisition Considerations

  • Acquire memory BEFORE investigating - analysis alters state
  • Live system: use tools that minimize footprint
  • Virtual system: snapshot the VM or extract .vmem
  • Physical system: consider acquisition via FireWire/Thunderbolt DMA
  • Document the exact time of acquisition for the timeline

Analysis with Volatility

The Volatility Framework is the open-source gold-standard tool for memory analysis, supporting Windows, Linux, macOS and various dump formats.

Essential Commands

      # Identify the system profile
      vol.py -f memory.dmp imageinfo
      # List processes
      vol.py -f memory.dmp --profile=Win10x64 pslist
      vol.py -f memory.dmp --profile=Win10x64 pstree
      # Hidden processes (DKOM)
      vol.py -f memory.dmp --profile=Win10x64 psxview
      # Network connections
      vol.py -f memory.dmp --profile=Win10x64 netscan
      # Loaded DLLs
      vol.py -f memory.dmp --profile=Win10x64 dlllist -p <PID>
      # Process command line
      vol.py -f memory.dmp --profile=Win10x64 cmdline
      # Process dumps
      vol.py -f memory.dmp --profile=Win10x64 procdump -p <PID> -D output/
      # Credential extraction
      vol.py -f memory.dmp --profile=Win10x64 hashdump
      vol.py -f memory.dmp --profile=Win10x64 lsadump
      

Fileless Malware Analysis

Fileless malware resides only in memory, using legitimate tools (PowerShell, WMI) to evade AV. Detection techniques:

  • Process injection: Look for RWX memory, remote threads
  • PowerShell analysis: Suspicious commands in console history
  • Hollowing: Legitimate processes with replaced code
  • Reflective DLL Injection: DLLs not mapped on disk

Example: Detecting Process Injection

      # Look for suspicious VADs (RWX memory)
      vol.py -f memory.dmp --profile=Win10x64 malfind
      # List code injections
      vol.py -f memory.dmp --profile=Win10x64 hollowfind
      # Analyze suspicious handles
      vol.py -f memory.dmp --profile=Win10x64 handles -p <PID> -t Process,Thread
      

Credential Extraction

Memory frequently contains credentials in plaintext or easily crackable form:

  • LSASS dump: NT hashes, Kerberos tickets, plaintext passwords
  • Registry hives: SAM, SYSTEM for offline hashdump
  • Browser memory: Form passwords, session cookies
  • App-specific: App credentials (email, VPN, etc.)

Timeline Reconstruction

Correlate memory events with other artifacts:

      # Timeline of processes and connections
      vol.py -f memory.dmp --profile=Win10x64 timeliner --output=body --output-file=timeline.body
      # Convert to a readable format
      mactime -b timeline.body -d > timeline.csv
      

Rootkits and DKOM

Direct Kernel Object Manipulation (DKOM) hides processes by modifying kernel structures. Detect through comparison across multiple sources:

  • psxview: Compares pslist, psscan, thrdproc, etc.
  • driverirp: Lists drivers and their IRP hooks
  • ssdt: System Service Descriptor Table hooks
  • idt: Interrupt Descriptor Table modifications

Advanced Volatility Plugins

  • yarascan: Scan memory with YARA rules
  • strings: Extract strings from specific processes
  • clipboard: Windows clipboard content
  • notepad: Text from open Notepad windows
  • mftparser: Recover the $MFT from memory
  • svcscan: List Windows services

Complementary Tools

  • Rekall: Volatility fork with additional features
  • Redline: FireEye graphical interface for analysis
  • MemProcFS: Mounts the memory dump as a filesystem
  • Bulk Extractor: Bulk extraction of features

Challenges

  • Large dumps (16GB+ RAM) are slow to analyze
  • Anti-forensics techniques can corrupt dumps
  • Encrypted memory requires keys for analysis
  • Kernel structures change between OS versions

Final Recommendations

Memory forensics is essential for investigating advanced attacks and fileless malware. Automate memory acquisition in suspicious incidents via EDR. Practice analysis with public memory dumps (DFIRScience, Volatility Foundation). Always correlate memory findings with disk forensics and network forensics for a complete view of the incident.