Skip to content

CH8: Windows Memory Forensics – Part 1

Chapter Overview

In our previous chapters, we focused on "Dead Box" forensics—analyzing the hard drive of a system that has been powered down. While the hard drive tells us what was stored on the computer, it often fails to tell us what was happening at the specific moment of a crime.

This chapter marks a significant shift in your skillset: Memory Forensics.

Random Access Memory (RAM) is the "crime scene" where the action takes place. It contains passwords in plain text, encryption keys, chat messages that were never saved to disk, and—most importantly—advanced malware that lives entirely in memory to avoid detection. In this chapter, we will explore the architecture of Windows memory, the strict volatility order you must follow at a crime scene, the tools used to carefully acquire a memory image, and how to install and utilize the industry-standard framework Volatility 3 to hunt down threats.

Learning Objectives

By the end of this chapter, you will be able to:

  • Analyze the Order of Volatility (RFC 3227) and justify why memory acquisition must precede disk acquisition in every forensic workflow.
  • Explain Windows memory management concepts, including Virtual Memory, Paging, and the distinction between Kernel Space and User Space.
  • Identify common malware hiding techniques such as DLL Injection and Direct Kernel Object Manipulation (DKOM).
  • Evaluate different memory acquisition tools and execute a live RAM capture using best practices to minimize the forensic footprint.
  • Demonstrate the process of installing Volatility 3 and its dependencies from scratch on a forensic workstation.
  • Deploy the Volatility 3 framework to analyze a memory image, utilizing plugins like info, pslist, and malfind to verify the image and identify malicious processes.

8.1 Introduction: The Volatile Crime Scene

Imagine a suspect is writing a ransom note in a text editor but hasn't clicked "Save" yet. Or imagine they have entered the password to decrypt a TrueCrypt volume. If you pull the plug (power down the machine), that information vanishes instantly. This is the nature of Volatility.

Memory Forensics is the art of analyzing the volatile data in a computer’s Random Access Memory (RAM). For years, traditional forensics ignored RAM because it was considered too difficult to capture. Today, with the rise of "Fileless Malware" (malware that never writes a file to the hard drive), memory forensics is mandatory for incident response.

8.2 The Order of Volatility (RFC 3227) Revisited

Before we touch a keyboard, we must review a fundamental principle of digital forensics: The Order of Volatility.

When you arrive at a live crime scene, you cannot collect everything at once. You must prioritize data based on its "life expectancy." If you copy the hard drive first, the time it takes to do so (hours) ensures that the data in RAM will be overwritten or lost. Furthermore, the act of interacting with the system changes it.

RFC 3227 establishes the standard order of collection, from most volatile (lasts nanoseconds) to least volatile (lasts years):

  1. Registers and Cache: (CPU L1/L2/L3 caches). These change in nanoseconds. They are extremely difficult to capture without specialized hardware triggers and are usually outside the scope of standard forensics.
  2. Routing Table, ARP Cache, Process Table, Kernel Statistics, Memory (RAM):
    • This is our focus. This data exists only while power is applied.
    • Critical Note: This includes the Routing Table and ARP Cache. If you unplug the network cable before capturing RAM, you lose the active network connections that prove the suspect was talking to a command-and-control server.
  3. Temporary File Systems: (Swap space, Pagefile). These reside on the disk but act like memory.
  4. Disk: (Hard drives, SSDs). This data persists after power is removed.
  5. Remote Logging and Monitoring Data: (SIEM logs, Firewall logs). This data is stored on a separate server and is safe from local decay.
  6. Physical Configuration and Network Topology: The layout of the cables and devices.
  7. Archival Media: (CD-ROMs, Backup Tapes).

The Golden Rule: Always capture RAM before you pull the plug. If you encounter a computer that is running, and you shut it down without capturing memory, you have likely destroyed the only evidence of encryption keys and active malware connections.

8.3 Windows Memory Architecture

To analyze memory, you must understand how Windows manages it. It is not just a flat bucket of data; it is a complex, structured environment.

8.3.1 Physical vs. Virtual Memory

  • Physical Memory: The actual hardware RAM chips installed in the motherboard (e.g., 16GB of DDR4).
  • Virtual Memory: An abstraction layer used by the Operating System. Windows gives every program (Process) its own "private" view of memory. A 32-bit application "thinks" it has 4GB of space, even if the computer only has 2GB of physical RAM.

The Page File Connection: When physical RAM fills up, Windows moves the least-used chunks of data (pages) to the pagefile.sys on the hard disk.

  • Forensic Note: This means "Memory Forensics" sometimes overlaps with "Disk Forensics." Evidence of a running program might be found in the pagefile.sys even if the computer is turned off.

8.3.2 Kernel Space vs. User Space

Windows divides virtual memory into two secure zones:

  1. User Space (Ring 3): Where standard applications run (Word, Chrome, Discord). These programs have limited privileges and cannot talk directly to hardware.
  2. Kernel Space (Ring 0): Where the core Operating System (Kernel) and hardware drivers run. This area has unrestricted access to everything.

Critical Concept: Advanced malware (Rootkits) tries to invade Kernel Space. If malware gets into the kernel, it can "lie" to the operating system, hiding files and processes from the Task Manager.

8.4 Understanding Malware in Memory

Why do we look in memory? Because malware authors know we look at the disk. To evade antivirus and forensic examiners, they use sophisticated techniques.

8.4.1 Hiding Techniques

  1. DLL Injection: Instead of running a suspicious file like evil.exe, the malware forces a legitimate process (like notepad.exe or svchost.exe) to load a malicious library (DLL). To the observer, it just looks like Notepad is running, but inside memory, Notepad is executing malicious code.

  2. Direct Kernel Object Manipulation (DKOM): This is the "Invisibility Cloak." Windows keeps a list of running processes in a structure called the EPROCESS list (a doubly linked list).

    • The Trick: Malware modifies this list in kernel memory to "unlink" itself. It tells the process before it: "Point to the guy after me."
    • The Result: The malware is still running and using CPU, but it does not appear in Task Manager, Tasklist, or standard monitoring tools. Volatility can detect this by cross-referencing different memory structures.

8.5 Memory Acquisition: Tools and Best Practices

Before we can analyze memory, we must acquire it. Because the computer is powered on and running, we are conducting Live Forensics. This presents a paradox: the very act of running a program to capture memory requires the use of memory, thereby overwriting potential evidence. This is known as the investigator's "footprint."

The Cardinal Rules of Memory Acquisition:

  1. Run tools from a trusted, external USB drive: Never install an acquisition tool onto the suspect's hard drive.
  2. Save the output to your external USB drive: Never write the .raw memory dump file to the suspect's local disk, as this will overwrite massive amounts of unallocated space and destroy deleted files.
  3. Minimize your footprint: Use the lightest, fastest tool possible to avoid overwriting active RAM.

Because modern Windows operating systems heavily restrict direct access to physical memory for security reasons, all memory acquisition tools must load a specialized kernel-mode driver to bypass these protections and read the RAM.

8.5.1 Industry Standard Acquisition Tools

There is no single "perfect" tool; an examiner should carry multiple options on their response drive in case one fails or is blocked by local security policies.

1. DumpIt DumpIt is a highly regarded, ultra-lightweight command-line utility. Originally created by Matthieu Suiche (Comae Technologies) and now often associated with Magnet Forensics, it is a favorite among incident responders.

  • Pros: Exceptionally small footprint, incredibly fast, requires zero configuration (just double-click the executable on the USB), and operates entirely via a simple command-line prompt.
  • Cons: Minimal options for customization or advanced configuration. It simply dumps all physical memory to a .raw file in the directory it is executed from.

2. WinPmem WinPmem is a powerful, open-source memory acquisition tool that is part of the Velocidex suite. It is widely respected for its transparency and capability.

  • Pros: Free and open-source. It supports creating raw images as well as the advanced AFF4 format (which allows for compression and metadata inclusion). It is highly customizable via the command line.
  • Cons: Strictly a command-line interface tool, which can be intimidating for beginners. Because it offers many parameters, running it incorrectly could result in a failed or corrupted capture.

3. Magnet RAM Capture A free tool provided by Magnet Forensics, designed to be simple and effective for both law enforcement and corporate investigators.

  • Pros: Very small memory footprint, actively maintained to bypass modern Windows security updates, and offers both a graphical user interface (GUI) and a command-line option.
  • Cons: Using the GUI version naturally consumes slightly more memory than pure CLI tools like DumpIt, marginally increasing the forensic footprint.

4. AccessData FTK Imager FTK Imager is one of the most famous tools in digital forensics, primarily known for acquiring hard drives. However, it also features a built-in "Capture Memory" function.

  • Pros: Extremely reliable, well-documented, and universally accepted in court. It provides a familiar GUI for examiners who are already using it for disk imaging.
  • Cons: It is a "heavy" application. Launching a full GUI forensic suite like FTK Imager on a live system requires significantly more RAM and CPU overhead than standalone tools, meaning you will overwrite more of the suspect's volatile data just to run the program. It is generally recommended to use lighter tools if memory is your sole initial target.

8.5.2 Tool Comparison Matrix

Tool Interface Footprint Best Used For
DumpIt CLI Very Small Rapid triage, minimizing evidence destruction.
WinPmem CLI Small Open-source workflows, advanced AFF4 output formats.
Magnet RAM Capture GUI / CLI Small Easy, reliable capture with minimal fuss.
FTK Imager GUI Large All-in-one disk and memory acquisition when footprint is less of a concern.

8.6 Deep Dive: The Volatility 3 Framework

Once you have acquired a raw memory dump (using one of the tools above), you need to analyze it. You cannot open a .raw or .dmp file in a text editor. You need a tool that can map the raw binary data to Windows structures.

The industry standard for this is Volatility.

8.6.1 How Volatility Works (Symbols vs. Profiles)

If you search online tutorials, you will see references to "Volatility 2" and "Profiles" (e.g., --profile=Win10x64_19041). Forget this. Volatility 2 is legacy software.

Volatility 3 (the current standard) completely changed the architecture. It no longer uses hard-coded profiles. Instead, it uses Symbol Tables (specifically Intermediate Symbol Format or ISF).

  1. Detection: When you load a memory image, Volatility 3 scans it to find the Windows Kernel executable (ntkrnlmp.exe).
  2. Hashing: It hashes that kernel file.
  3. Mapping: It reaches out to Microsoft's public Symbol Server (via the internet), downloads the "Debug Symbols" (PDB files) that match that specific kernel hash, and generates a translation map.
  4. Translation: It uses that map to translate the hex data into human-readable lists of processes and files.

Field Warning: If your forensic workstation is offline (air-gapped), Volatility 3 will fail to download symbols. You must manually download the required PDB files on a connected machine and transfer them to the offline machine's volatility3/symbols directory.

8.6.2 Installation and Dependencies

If you are used to double-clicking a .exe file and clicking "Next" to install software, Volatility 3 will feel a bit different. It is a Python-based framework, meaning it runs entirely through your Command Prompt or Terminal. You must set up the environment yourself by typing in specific commands. Don't worry if you are new to the command line; we will walk through it step-by-step.

Prerequisites:

  • Python 3: Volatility is written in the Python programming language, so your forensic workstation needs to "understand" Python to run it. You must have Python 3.6 or later installed.
    • How to install: You can download the graphical installer directly from Python.org. Crucial Step: If you use the graphical installer, you must check the box that says "Add Python.exe to PATH" at the bottom of the very first screen before clicking install!
    • Command Line Install: If you want to practice your command-line skills on Windows, you can open your Command Prompt and use the Windows Package Manager to install it simply by typing: winget install Python.Python.3
  • Git: This is a tool used by developers to download and manage code. We will use it to pull the latest version of Volatility straight from their official repository.

Installation Steps:

Open your Command Prompt (Windows) or Terminal (Mac/Linux) and follow these steps exactly:

  1. Download the Framework: You need to tell git to copy (clone) the entire Volatility 3 folder from the internet to your computer. Type this command and press Enter: git clone https://github.com/volatilityfoundation/volatility3.git
  2. Navigate to the Folder: Right now, your command line is looking at your default user folder. You need to "Change Directory" (cd) into the new Volatility folder you just downloaded so you can interact with it. Type: cd volatility3
  3. Install Dependencies: Volatility relies on several external Python libraries (mini-programs that help it do things like parse executable files or scan networks). We use Python's package installer, called pip, to download these automatically. Type the following command and press Enter: pip3 install --user -e ".[full]"
    • What does this do? The . tells pip to look in your current folder for instructions. The -e installs it in "editable" mode so you can easily update Volatility later without reinstalling everything. Finally, the [full] ensures that all optional tools (especially the ones required for advanced network scanning plugins) are fully installed.

Note

For the installation of dependencies, at the time of this writing, it is recommended to use a slightly older version of Python, 3.12, for full compatibility with all Volatility 3 dependencies. Otherwise some plugins may not install properly. The direct link to a compatible version: https://www.python.org/downloads/release/python-3120rc3/.

8.6.3 The Help System (-h)

The most important command in Volatility is the help flag. Because plugins change and update, you should not memorize them; you should know how to find them.

Global Help: To see the generic flags (like how to save output to a file): python3 vol.py -h

Plugin Help: To list all available plugins for Windows: python3 vol.py windows -h

To get help on a specific plugin (e.g., how to use pslist): python3 vol.py windows.pslist -h This will show you specific arguments, such as how to filter by a specific Process ID (PID).

8.7 Key Forensic Plugins and Real-World Scenarios

Knowing the commands is only half the battle; a forensic examiner must know when to use them and how to interpret the output. These are the "Bread and Butter" plugins you will use in almost every investigation, along with the real-world scenarios that trigger their use.

1. Image Verification (windows.info) Before you begin hunting for malware, you must verify that Volatility is reading the memory dump correctly and applying the correct Symbol Tables.

  • The Command: python3 vol.py -f [Image.raw] windows.info
  • Real-World Scenario: A frantic IT administrator hands you a USB drive containing a raw memory dump from a compromised server, but in the chaos, they forgot to document the exact operating system build. Running windows.info establishes the baseline ground truth, identifying the OS version, architecture, and kernel pointers. If this plugin returns an error, do not proceed; all subsequent plugins will return garbage data.

2. Process Enumeration and DKOM (windows.pslist & windows.psscan) These two plugins are used together to catch sophisticated rootkits trying to hide from the operating system. To understand how they work, you must understand Direct Kernel Object Manipulation (DKOM).

Windows keeps track of all running programs using a doubly linked list in the kernel called the active process list (specifically, EPROCESS blocks). When a user opens Task Manager, or an examiner runs windows.pslist, Windows simply reads this connected chain of blocks from start to finish.

Advanced malware uses DKOM to alter this list. The malware reaches into the kernel and changes the "pointers" of the process before it and after it, essentially bridging the gap. The malware unlinks itself from the chain. It is still running in memory and consuming CPU, but to Task Manager and pslist, it no longer exists.

  • The Command (psscan): python3 vol.py -f [Image.raw] windows.psscan
  • Real-World Scenario: You suspect a system is infected with a stealthy rootkit. You run pslist and count 50 active processes. You then run psscan. Unlike pslist, psscan ignores the linked list entirely and "carves" through the raw memory bytes looking for the specific file signatures of EPROCESS headers. psscan returns 51 processes. That discrepancy—the single hidden process unlinked from the system—is your malware.

3. Process Trees (windows.pstree) Malware often behaves strangely in its parent-child relationships. The pstree plugin visually maps out which program launched which other program.

  • The Command: python3 vol.py -f [Image.raw] windows.pstree
  • Real-World Scenario: You are investigating a phishing attack where an employee clicked on an invoice attachment. By looking at the process tree, you notice AcroRd32.exe (Adobe Reader) is listed as the parent process for cmd.exe (Command Prompt). A PDF reader should never spawn a command prompt under normal operations. This visual anomaly instantly pinpoints the exact moment the PDF exploit triggered and executed malicious shell commands.

4. Malware Finder and Injected Code (windows.malfind) This plugin is your primary weapon for detecting "Fileless Malware" and Process Injection. It scans the memory for pages that are marked as both executable and writable (PAGE_EXECUTE_READWRITE), but crucially, are not backed by a legitimate file on the hard drive.

When malfind detects an anomaly, it outputs a hexadecimal dump of the suspicious memory region. The most critical thing to look for in this hex dump is the "MZ" Header.

"MZ" stands for Mark Zbikowski, one of the original architects of MS-DOS. In Windows, every single legitimate executable (.exe) or dynamic link library (.dll) file begins with the exact same two bytes of data: 4D 5A in hexadecimal, which translates to the ASCII characters MZ.

  • The Command: python3 vol.py -f [Image.raw] windows.malfind
  • Real-World Scenario: You see a completely normal-looking svchost.exe (a standard Windows service) running in your pslist. However, malfind flags this specific process and prints out a hex dump that starts with 4D 5A. This means malware has hollowed out the legitimate svchost.exe memory space and injected its own hidden, unbacked executable code into it. The malware is wearing svchost.exe like a disguise to fool the investigator.

5. Command Line Execution (windows.cmdline) Seeing a process running is helpful; knowing how it was instructed to run is forensic gold. This plugin extracts the exact command-line arguments used when the process was launched.

  • The Command: python3 vol.py -f [Image.raw] windows.cmdline
  • Real-World Scenario: Your pstree analysis reveals that powershell.exe was launched. PowerShell is a legitimate administrative tool, so its mere presence isn't inherently malicious. However, running cmdline reveals the execution string: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -EncodedCommand aGVs.... This tells you the attacker bypassed security policies, hid the window from the user, and obfuscated their payload in Base64. You can now copy that Base64 string and decode it (using a tool like CyberChef) to see exactly what the attacker did.

6. Network Connections (windows.netstat vs. windows.netscan) Identifying network connections in memory allows you to map out Command and Control (C2) servers or lateral movement across a network. Volatility 3 offers two primary ways to do this:

  • windows.netstat: Queries the operating system's active tracking structures. It only shows what the OS explicitly knows is currently connected.

  • windows.netscan: Carves through the memory pools looking for network artifacts, potentially uncovering closed connections or connections deliberately hidden by rootkits.

  • The Command: python3 vol.py -f [Image.raw] windows.netscan

  • Real-World Scenario: You are tracking a suspected data exfiltration event. Using netscan, you identify an established connection over port 443 (HTTPS) to a foreign IP address. Crucially, the plugin associates this connection with Process ID (PID) 2048. You cross-reference PID 2048 with your pslist output and discover the process is notepad.exe. Since Notepad does not need internet access, you have definitively linked the malicious network beacon to an injected process.

8.8 Chapter Summary

Memory forensics allows us to see the system as it truly was: alive and running. We reviewed the Order of Volatility, reinforcing that RAM must be captured immediately after safety is assured, as it decays faster than disk evidence.

We explored the critical phase of Memory Acquisition, emphasizing the need to minimize the forensic footprint by running lightweight tools like DumpIt or WinPmem from external USB drives, ensuring we do not overwrite valuable evidence.

Finally, we deepened our understanding of Volatility 3, learning that it relies on Symbol Tables rather than static profiles to translate memory. We covered the installation process using Python and pip, and emphasized the importance of the -h flag to navigate the tool's capabilities. Through plugins like windows.info, psscan, and malfind, we learned how to verify the image and then hunt for invisible processes and injected code that do not exist on the hard drive.