Memory Forensics: A Step-by-Step Methodology

When you’re in the middle of an incident response, memory analysis is one of the most powerful ways to uncover what really happened on a compromised machine. RAM is volatile—it disappears once the system is powered down—so examining it quickly and thoroughly can give you insights into malware, lateral movement, persistence, and more.

This will walk you through examining RAM and dumping processes using Volatility (standalone) on Windows. It’s not exhaustive, but it will get you started with the essential plugins and workflow.

-------------------------------------------------------------------------------------------------------------

Step 1: Identify the Operating System

Before diving into analysis, determine the operating system of the memory image.

windows.info

This will give you basic information about the image and help guide which plugins will work properly.

Step 2: Examine Processes

1. List running processes

windows.pslist.PsList > pslist.txt

2. Do a process scan (check running PIDs and PPIDs):

windows.psscan.PsScan > processes.txt

3. Look for hidden/rogue processes

windows.psxview.PsXView > psxlist.txt

4. List and analyze DLL handles of suspicious processes

windows.dlllist.DllList > dlllist.txt

Step 3: Network Connections

Check for active or historical network connections:

windows.netscan.NetScan > netscan.txt

Step 5: Registry and Execution Artifacts

• UserAssist Keys

windows.registry.userassist.UserAssist > userassist.txt

• Amcache

windows.amcache.Amcache > amcache.txt

• Shimcache (AppCompatCache)

windows.shimcachemem.ShimcacheMem > shimcache.txt

These registry-based artifacts often reveal executed programs, including those that may not show up in process lists.

Step 6: Dump Processes and DLLs

Create a directory inside your Volatility standalone folder for process dumps.

• Dump all processes:

--dump -Processes

• Or dump DLLs from suspicious processes:

--dump -DLL

Step 7: Look for Injected Code

Use malfind to find embedded/injected code within processes:

windows.malfind.Malfind > malfind.txt

Dump these results to the same directory and scan with AV.

Step 8: Search for IP Addresses

Use strings or bstrings to extract potential network indicators from memory:

strings memorydump.raw | findstr "IP" > IP.txt

📌 Guide: https://www.cyberengage.org/post/memory-forensics-using-strings-and-bstrings-a-comprehensive-guide

Step 9: Explore More Plugins

Volatility has many plugins beyond the basics. You can always check available options with:

volatility -h

Each case is different, so don’t limit yourself to just the above commands.

One of my favorite tools alongside Volatility is MemProcFS. Unlike Volatility, you don’t need to dump anything manually—everything is already “mounted” and accessible like a file system.

📌 Guide: https://www.cyberengage.org/post/memory-forensics-using-strings-and-bstrings-a-comprehensive-guide

-------------------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------------------

Final Thoughts

These steps and plugins are enough to get you started with memory analysis during an investigation. As you get deeper into cases, you’ll find yourself using other plugins or combining results with disk/timeline analysis.

The main takeaway:

• Start broad with processes and network activity

• Narrow down to execution artifacts and persistence

• Always dump and scan suspicious processes

• Correlate memory findings with disk and event log evidence

-----------------------------------------------------------Dean---------------------------------------------