Memory Forensics
RAM memory forensic analysis represents a critical and specialized discipline within digital investigation, focused on extracting and analyzing volatile data that exists only while the system is running. Unlike traditional disk forensics, which examines persistent data stored on hard drives or SSDs, memory forensics captures the exact state of the system at the moment of acquisition, revealing running processes, active network connections, in-memory credentials, cryptographic keys, fileless malware, and artifacts that sophisticated attackers deliberately leave only in RAM to evade detection. This technique has become indispensable in investigating advanced threats (APTs), modern ransomware, and attacks that use living-off-the-land techniques, where intruders operate exclusively in memory using legitimate operating system tools. The time window for collection is critical: once the system is shut down, rebooted, or enters hibernation mode, these volatile artifacts are irretrievably lost, making the speed and methodology of acquisition determining factors for the success of the forensic investigation.
Why Memory Forensics
Volatile artifacts are lost at shutdown. Memory contains:
- Running processes: Fileless malware, code injections
- Network connections: C2 active connections, open sockets
- Credentials: Plaintext passwords, cached NTLM hashes
- Cryptography: Encryption keys in memory
- Registry hives: Unpersisted modifications
- Handles and DLLs: Injections, hooking, rootkits
Memory Acquisition
Acquisition Tools
- FTK Imager: Free AccessData tool, graphical interface
- DumpIt: Portable one-line executable, fast
- WinPmem: Open-source, supports kernel memory acquisition
- Magnet RAM Capture: Free tool, easy to use
- LiME (Linux): Loadable Kernel Module for Linux systems
- Belkasoft RAM Capturer: Works even with anti-dumping
Acquisition Considerations
- Acquire memory BEFORE investigating - analysis alters state
- Live system: use tools that minimize footprint
- Virtual system: snapshot the VM or extract .vmem
- Physical system: consider acquisition via FireWire/Thunderbolt DMA
- Document the exact time of acquisition for the timeline
Analysis with Volatility
The Volatility Framework is the open-source gold-standard tool for memory analysis, supporting Windows, Linux, macOS and various dump formats.
Essential Commands
# Identify the system profile
vol.py -f memory.dmp imageinfo
# List processes
vol.py -f memory.dmp --profile=Win10x64 pslist
vol.py -f memory.dmp --profile=Win10x64 pstree
# Hidden processes (DKOM)
vol.py -f memory.dmp --profile=Win10x64 psxview
# Network connections
vol.py -f memory.dmp --profile=Win10x64 netscan
# Loaded DLLs
vol.py -f memory.dmp --profile=Win10x64 dlllist -p <PID>
# Process command line
vol.py -f memory.dmp --profile=Win10x64 cmdline
# Process dumps
vol.py -f memory.dmp --profile=Win10x64 procdump -p <PID> -D output/
# Credential extraction
vol.py -f memory.dmp --profile=Win10x64 hashdump
vol.py -f memory.dmp --profile=Win10x64 lsadump
Fileless Malware Analysis
Fileless malware resides only in memory, using legitimate tools (PowerShell, WMI) to evade AV. Detection techniques:
- Process injection: Look for RWX memory, remote threads
- PowerShell analysis: Suspicious commands in console history
- Hollowing: Legitimate processes with replaced code
- Reflective DLL Injection: DLLs not mapped on disk
Example: Detecting Process Injection
# Look for suspicious VADs (RWX memory)
vol.py -f memory.dmp --profile=Win10x64 malfind
# List code injections
vol.py -f memory.dmp --profile=Win10x64 hollowfind
# Analyze suspicious handles
vol.py -f memory.dmp --profile=Win10x64 handles -p <PID> -t Process,Thread
Credential Extraction
Memory frequently contains credentials in plaintext or easily crackable form:
- LSASS dump: NT hashes, Kerberos tickets, plaintext passwords
- Registry hives: SAM, SYSTEM for offline hashdump
- Browser memory: Form passwords, session cookies
- App-specific: App credentials (email, VPN, etc.)
Timeline Reconstruction
Correlate memory events with other artifacts:
# Timeline of processes and connections
vol.py -f memory.dmp --profile=Win10x64 timeliner --output=body --output-file=timeline.body
# Convert to a readable format
mactime -b timeline.body -d > timeline.csv
Rootkits and DKOM
Direct Kernel Object Manipulation (DKOM) hides processes by modifying kernel structures. Detect through comparison across multiple sources:
- psxview: Compares pslist, psscan, thrdproc, etc.
- driverirp: Lists drivers and their IRP hooks
- ssdt: System Service Descriptor Table hooks
- idt: Interrupt Descriptor Table modifications
Advanced Volatility Plugins
- yarascan: Scan memory with YARA rules
- strings: Extract strings from specific processes
- clipboard: Windows clipboard content
- notepad: Text from open Notepad windows
- mftparser: Recover the $MFT from memory
- svcscan: List Windows services
Complementary Tools
- Rekall: Volatility fork with additional features
- Redline: FireEye graphical interface for analysis
- MemProcFS: Mounts the memory dump as a filesystem
- Bulk Extractor: Bulk extraction of features
Challenges
- Large dumps (16GB+ RAM) are slow to analyze
- Anti-forensics techniques can corrupt dumps
- Encrypted memory requires keys for analysis
- Kernel structures change between OS versions
Final Recommendations
Memory forensics is essential for investigating advanced attacks and fileless malware. Automate memory acquisition in suspicious incidents via EDR. Practice analysis with public memory dumps (DFIRScience, Volatility Foundation). Always correlate memory findings with disk forensics and network forensics for a complete view of the incident.
