Memory Forensics

wait, what did i eat for breakfast?

Memory Forensics is the analysis of the volatile memory, mainly Random Access Memory (RAM).

Volatility

What is Volatility?

Volatility extracts digital artifacts from volatile memory (RAM) samples. memory capture file is like .bin, .mem, .raw, .sav, .vmem.

# OS information
python vol.py -f <filename> windows.info

# Process information
python vol.py -f <filename> windows.pslist
python vol.py -f <filename> windows.psscan
python vol.py -f <filename> windows.pstree

# Network connections
python vol.py -f <filename> windows.netscan

# Hidden processes
python vol.py -f <filename> windows.ldrmodules

# Detect malware
python vol.py -f <filename> windows.malfind

# DLL files
python vol.py -f <filename> windows.dlllist

External References

PreviousWindows Forensics NextBase32, Base64

Last updated 2 years ago