Memory forensics catches what disk forensics misses — running malware, in-RAM credentials, injected processes, and rootkit hooks. Volatility 3 modernized the framework with Python 3, symbol-driven analysis, and a cleaner plugin model. Here’s how to actually use it.
Acquiring Memory
Windows: WinPmem, FTK Imager, or DumpIt. Linux: LiME or AVML. Always:
- Acquire before any other intrusive action — even running
psperturbs the image. - Hash immediately (SHA-256) and chain-of-custody the file.
- Capture page file (
pagefile.sys) alongside RAM — Volatility 3 can ingest it for completeness.
# Linux acquisition with AVML
sudo ./avml /case/$(hostname)-$(date +%Y%m%d).lime
sha256sum /case/*.lime > /case/hashes.txt
First-Pass Triage
# Identify the OS and build
vol -f mem.raw windows.info
# Process list (uses _EPROCESS walking — catches DKOM but not all hiding)
vol -f mem.raw windows.pslist
# Process list cross-referenced with handle and thread tables
vol -f mem.raw windows.psscan
# Tree view — parent/child relationships
vol -f mem.raw windows.pstree
The pair pslist + psscan is the classic anti-rootkit comparison: any process present in psscan but missing from pslist is hidden via Direct Kernel Object Manipulation.
Hunting Injected Code
# Memory regions marked executable but private (classic injection signature)
vol -f mem.raw windows.malfind
# DLL-load anomalies
vol -f mem.raw windows.dlllist --pid 1234
# Network connections (TCP and UDP)
vol -f mem.raw windows.netscan
malfind flags every RWX private region. False positives include .NET JIT, but in a triage context the noise is manageable. Hits in lsass.exe, svchost.exe, or explorer.exe are particularly suspicious.
Credential Recovery
Memory often contains:
- NTLM hashes (LSASS) via
windows.hashdump - Kerberos tickets via
windows.lsadump(and offline replay) - Cleartext credentials in browsers, RDP clients, and forgotten input fields
vol -f mem.raw windows.hashdump
vol -f mem.raw windows.lsadump
vol -f mem.raw windows.cachedump
Timeline Reconstruction
A timeline of process creation gives you the attack story:
# Process timeline
vol -f mem.raw timeliner.Timeliner
# Filesystem MFT
vol -f mem.raw windows.mftscan.MFTScan
Pipe through mactime or import into Plaso for cross-source correlation with disk and event log artifacts.
Rootkit Hunting
# SSDT hook check (legacy but still relevant)
vol -f mem.raw windows.ssdt
# Driver list — look for unsigned, unusual loads
vol -f mem.raw windows.modules
# Callbacks (PsSetCreateProcessNotifyRoutine etc.)
vol -f mem.raw windows.callbacks
Modern rootkits hide via PG-bypass tricks rather than SSDT hooks, but every once in a while you’ll still see a Mimikatz mini-driver or an older toolkit show up.
Linux Notes
Linux Volatility 3 requires kernel symbol tables (.json.xz files). Build with dwarf2json from the target host’s vmlinux or matching kernel debug package. Without symbols, you’re limited to raw string carving.
vol -f linux.lime -s ./symbols linux.pslist.PsList
Practical Workflow
For real IR cases:
- Acquire memory + page file.
- Run
windows.info,pslist,pstree,netscan,malfind— five plugins that cover 80% of triage. - Cross-reference suspicious PIDs against disk artifacts (Prefetch, AmCache, RecentApps).
- Dump suspicious processes (
windows.dumpfiles --pid X) for static analysis.