Memory Forensics

wait, what did i eat for breakfast?

Memory Forensics is the analysis of the volatile memory, mainly Random Access Memory (RAM).

Volatility

What is Volatility?

  • Volatility extracts digital artifacts from volatile memory (RAM) samples. memory capture file is like .bin, .mem, .raw, .sav, .vmem.

# OS information
python vol.py -f <filename> windows.info

# Process information
python vol.py -f <filename> windows.pslist
python vol.py -f <filename> windows.psscan
python vol.py -f <filename> windows.pstree

# Network connections
python vol.py -f <filename> windows.netscan

# Hidden processes
python vol.py -f <filename> windows.ldrmodules

# Detect malware
python vol.py -f <filename> windows.malfind

# DLL files
python vol.py -f <filename> windows.dlllist

External References

Last updated