Moving Forward with Memory Analysis: From Volatility to MemProcFS : Part 3

Cached Files in MemProcFS

The Windows operating system caches a large number of files in memory. This includes:

• Frequently used system artifacts such as registry hives, Prefetch files, and the $MFT

• Memory-mapped files like executables and DLLs

• Recently accessed user files such as Word documents, PDFs, and log files

• Files opened from removable media (USB) or even encrypted containers

  
  

Processes reference these File_Objects through:

• their process handle table

• their Virtual Address Descriptor (VAD) tree

Memory forensics tools can enumerate these structures and use the embedded metadata to reconstruct and extract cached files.

Cached File Recovery in MemProcFS

In MemProcFS, cached files are exposed as individual files within the virtual filesystem. You can either:

• copy them out for offline analysis, or

• analyze them directly from the mounted drive.

Cached files are represented under the files folder for each process, and MemProcFS provides

three complementary methods to recover them:

1. handles

Recovers cached files by following process handles that reference File_Objects.

2. modules

Recovers .exe, .dll, and .sys files using:

• the Process Environment Block (PEB)

• PE header information

3. vads

Attempts file reconstruction using VAD tree mappings, which is especially useful for memory-mapped files.

Forensic File Reconstruction (M:\forensic\files)

When MemProcFS is run with forensic options enabled, it goes a step further.

• enumerates all recoverable File_Objects

• reconstructs them into a virtualized filesystem

  

Instead of pivoting through a specific process, you can search globally using:

M:\forensic\csv\files.csv

You can then access recovered files via:

M:\forensic\files\ROOT\

These files can be:

• copied out

• opened directly (hex editor, Office apps, image viewers, etc.)

  
  

Memory is not guaranteed to be complete. Files may be:

• partially paged out

• corrupted or incomplete

Viewers that tolerate corruption are preferred.

NTFS Forensics from Memory

The M:\forensic\ntfs folder allows analysts to investigate the entire file system structure.

Behind the scenes, MemProcFS:

• locates the NTFS Master File Table ($MFT)

• virtualizes it into a browsable file hierarchy

This lets you explore the file system as it existed on the original machine, even from memory alone.

Timeline Analysis

MemProcFS also generates timelines:

• Text timelines:

M:\forensic\timeline\

• CSV timelines:

M:\forensic\csv\

The timeline_ntfs.csv file contains file system events, while other timelines focus on different in-memory artifacts.

Registry Artifacts from Memory

The M:\registry folder exposes memory-resident registry data.

You can:

• browse keys and values directly

• export reconstructed hives from:

  M:\registry\hive_files

  

Exported hives are often partial or corrupted, so direct navigation is frequently the better option.

Services and Scheduled Tasks

Services and scheduled tasks are heavily abused by attackers for:

• persistence

• execution

• lateral movement

Virtualized View

M:\sys\services
M:\sys\tasks

CSV View

M:\forensic\csv\

These views include:

• start type (AUTO_START is commonly abused)

• full executable paths and arguments

• timestamps

• associated users

Most services and tasks should run under system accounts. Anything running under a user context deserves closer inspection.

------------------------------------------------------------------------------------------------------------

Final Thoughts

Being able to extract:

• cached files

• NTFS metadata

• registry keys

• services and tasks

directly from memory can be a game changer during investigations.

------------------------------------------------Dean--------------------------------------------------------

https://www.cyberengage.org/courses-1/mastering-memory-forensics%3A-in-depth-analysis-with-volatility-and-advanced-tools