Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
# WinPmem (Recommended) winpmem_mini_x64.exe memory.raw
# DumpIt DumpIt.exe
# Belkasoft RAM Capturer # GUI-based, outputs raw format
# Magnet RAM Capture # GUI-based, outputs raw format # LiME (Linux Memory Extractor) sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
# /dev/mem (limited, requires permissions) sudo dd if=/dev/mem of=memory.raw bs=1M
# /proc/kcore (ELF format) sudo cp /proc/kcore memory.elf # osxpmem sudo ./osxpmem -o memory.raw
# MacQuisition (commercial) # VMware: .vmem file is raw memory cp vm.vmem memory.raw
# VirtualBox: Use debug console vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
# QEMU virsh dump < domai n > memory.raw --memory-only
# Hyper-V # Checkpoint contains memory state # Install Volatility 3 pip install volatility3
# Install symbol tables (Windows) # Download from https://downloads.volatilityfoundation.org/volatility3/symbols/
# Basic usage vol -f memory.raw < plugi n >
# With symbol path vol -f memory.raw -s /path/to/symbols windows.pslist # List processes vol -f memory.raw windows.pslist
# Process tree (parent-child relationships) vol -f memory.raw windows.pstree
# Hidden process detection vol -f memory.raw windows.psscan
# Process memory dumps vol -f memory.raw windows.memmap --pid < PI D > --dump
# Process environment variables vol # Network connections vol -f memory.raw windows.netscan
# Network connection state vol -f memory.raw windows.netstat # Loaded DLLs per process vol -f memory.raw windows.dlllist --pid < PI D >
# Find hidden/injected DLLs vol -f memory.raw windows.ldrmodules
# Kernel modules vol -f memory.raw windows.modules
# Module dumps vol -f memory.raw windows.moddump --pid < PI D > # Detect code injection vol -f memory.raw windows.malfind
# VAD (Virtual Address Descriptor) analysis vol -f memory.raw windows.vadinfo --pid < PI D >
# Dump suspicious memory regions vol -f memory.raw windows.vadyarascan --yara-rules rules.yar # List registry hives vol -f memory.raw windows.registry.hivelist
# Print registry key vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
# Dump registry hive vol -f memory.raw windows.registry.hivescan --dump # Scan for file objects vol -f memory.raw windows.filescan
# Dump files from memory vol -f memory.raw windows.dumpfiles --pid < PI D >
# MFT analysis vol -f memory.raw windows.mftscan # Process listing vol -f memory.raw linux.pslist
# Process tree vol -f memory.raw linux.pstree
# Bash history vol -f memory.raw linux.bash
# Network connections vol -f memory.raw linux.sockstat
# Loaded kernel modules vol -f memory.raw linux.lsmod
# Mount points vol -f # Process listing vol -f memory.raw mac.pslist
# Process tree vol -f memory.raw mac.pstree
# Network connections vol -f memory.raw mac.netstat
# Kernel extensions vol -f memory.raw mac.lsmod # 1. Initial process survey vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt
# 2. Network connections vol -f memory.raw windows.netscan > network.txt
# 3. Detect injection vol -f memory.raw windows.malfind > malfind.txt # 1. Timeline of events vol -f memory.raw windows.timeliner > timeline.csv
# 2. User activity vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles
# 3. Persistence mechanisms vol -f memory.raw windows.registry.printkey \ --key "Software\Microsoft\Windows\CurrentVersion\Run"
# 4. Services vol -f // EPROCESS (Executive Process) typedef struct _EPROCESS { KPROCESS Pcb; // Kernel process block EX_PUSH_LOCK ProcessLock; LARGE_INTEGER CreateTime; LARGE_INTEGER ExitTime; // ... LIST_ENTRY ActiveProcessLinks; // Doubly-linked list ULONG_PTR UniqueProcessId; // PID // ... PEB * Peb; // Process Environment Block // ... typedef struct _MMVAD { MMVAD_SHORT Core; union { ULONG LongFlags; MMVAD_FLAGS VadFlags; } u; // ... PVOID FirstPrototypePte; PVOID LastContiguousPte; // ... PFILE_OBJECT FileObject; } MMVAD;
// Memory protection flags #define PAGE_EXECUTE 0x 10 #define PAGE_EXECUTE_READ 0x 20 #define PAGE_EXECUTE_READWRITE # Malfind indicators # - PAGE_EXECUTE_READWRITE protection (suspicious) # - MZ header in non-image VAD region # - Shellcode patterns at allocation start
# Common injection techniques # 1. Classic DLL Injection # - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread
# 2. Process Hollowing # - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory
# 3. APC Injection # - QueueUserAPC targeting alertable threads
# 4. Thread Execution Hijacking # - SuspendThread + SetThreadContext + ResumeThread # Compare process lists vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # Hidden processes
# Check for DKOM (Direct Kernel Object Manipulation) vol -f memory.raw windows.callbacks
# Detect hooked functions vol -f memory.raw windows.ssdt # System Service Descriptor Table
# Dump hashes (requires hivelist first) vol -f memory.raw windows.hashdump
# LSA secrets vol -f memory.raw windows.lsadump
# Cached domain credentials vol -f memory.raw windows.cachedump
# Mimikatz-style extraction # Requires specific plugins/tools rule Suspicious_Injection { meta: description = "Detects common injection shellcode"
strings: // Common shellcode patterns $mz = { 4D 5A } $shellcode1 = { 55 8B EC 83 EC } // Function prologue $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 } // Push hash, call
condition: $mz at 0 or any of ($shellcode*) }
rule Cobalt_Strike_Beacon { meta: description = "Detects Cobalt Strike beacon in memory"
strings: $config = { 00 01 00 01 00 02 } $sleep = "sleeptime" $beacon = "%s (admin)" wide
condition: 2 of them } # Scan all process memory vol -f memory.raw windows.yarascan --yara-rules rules.yar
# Scan specific process vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
# Scan kernel memory vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel # Basic string extraction strings -a memory.raw > all_strings.txt
# Unicode strings strings -el memory.raw >> all_strings.txt
# Targeted extraction from process dump vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt
# Pattern matching grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" # FLOSS extracts obfuscated strings floss malware.exe > floss_output.txt
# From memory dump floss pid.1234.dmp
Minimize footprint : Use lightweight acquisition toolsDocument everything : Record time, tool, and hash of captureVerify integrity : Hash memory dump immediately after captureChain of custody : Maintain proper forensic handling
Start broad : Get overview before deep divingCross-reference : Use multiple plugins for same dataTimeline correlation : Correlate memory findings with disk/networkDocument findings : Keep detailed notes and screenshotsValidate results : Verify findings through multiple methods
Stale data : Memory is volatile, analyze promptlyIncomplete dumps : Verify dump size matches expected RAMSymbol issues : Ensure correct symbol files for OS versionSmear : Memory may change during acquisitionEncryption : Some data may be encrypted in memory 
Claude Sonnet 4.5