Tooling

Memory Forensics — Volatility & MemProcFS

Pulling secrets, processes, malware, and rootkits out of RAM dumps.

Memory forensics finds what disk forensics misses: in-memory-only malware, decrypted secrets, runtime injected modules, network connections that were never logged. For broader DFIR see DFIR (Velociraptor). For malware analysis sandboxes see Malware Analysis (Sandbox). For pulling creds from memory see Active Directory Pentesting (mimikatz / lsassy).

Acquisition

  • MemProcFS (Ulf Frisk) — mounts a memory image as a virtual filesystem; explorers / tools can walk it like a disk. Lightning fast and FOSS. The 2024–26 default for "give me a quick look at memory."
  • WinPMem / DumpIt / FTK Imager — Windows live memory acquisition.
  • LiME (Linux Memory Extractor) — Linux kernel-module memory dump.
  • AVML (Microsoft) — Linux memory acquisition.
  • OSXPmem (legacy) / sudo pmset -d for macOS; modern macOS is brutal — Apple has effectively closed memory dump on Apple Silicon.
  • VMware vmem / VirtualBox sav / Hyper-V vmrs — pulled directly from VM hypervisor; the easiest route in many labs.
  • Velociraptor — has memory-dump artifact packs.

Analysis frameworks

  • ★ ★ Volatility 3 — Python; the long-standing reference framework; 2024+ has caught up to v2's coverage and surpassed it on Linux / macOS. Free.
    • Profiles auto-generated from PDB symbols; less manual fiddling than v2.
    • Plugins: pslist, pstree, psscan, cmdline, dlllist, handles, netscan, malfind, hashdump, lsadump, cachedump, mimikatz, yarascan, hollowfind, consoles.
  • Volatility 2 — older; many community plugins still v2-only; keep installed alongside.
  • Rekall — Google's fork; effectively sunset.
  • MemProcFS — see above; pairs nicely with Volatility (dump → mount → walk + run plugins).
  • bulk_extractor — pull strings / emails / IPs / credit cards / pcap from memory or disk.

Specialised plugins / extensions

  • Volatility-Plugins (community) — there's a plugin for almost every artifact you can imagine.
  • vol3 community pluginsvol3 -f mem.raw windows.evtxlogs (extract event logs from RAM).
  • mimikatz volatility plugin — pull NTLM / Kerberos / DPAPI from a Windows memory image.
  • YARA over memoryvol3 -f mem.raw yarascan.YaraScan -r rules.yar.

Linux / macOS specifics

  • Volatility 3 Linux — much better in 2024+; works without recompiling profiles; uses dwarf2json.
  • dwarf2json — generates symbol tables for Volatility 3 from kernel debug data.
  • ELF / kernel modules / lsmod-style enumeration, /proc walking, eBPF artifact extraction.
  • macOS support is limited; Apple Silicon often impossible to acquire.

Live response (no full dump)

  • WinDbg LiveKD — kernel debugger live.
  • PSlist / Process Explorer / Process Hacker (System Informer) — quick triage.
  • Velociraptor live artifacts — collect specific structs without full dump.
  • OSQuery + memory plugins — see EDR / OSQuery.

Container / VM-aware memory

  • VMI (Volatility VMI mode) — analyse running VMs from outside.
  • DRAKVUF (CERT.PL) — agentless dynamic malware analysis via VMI.
  • Intel Pin / DynamoRIO — instrumentation.

Memory + YARA hunting

  • ★ Rule sets that target memory: floss-rules, ReversingLabs YARA, Neo23x0 signature-base.
  • Loki (Florian Roth) — IOC + YARA + Sigma scanner for memory + filesystem.
  • THOR / THOR Lite — paid + free APT scanners; YARA-driven.
  • Yara-Forge — auto-curated up-to-date rule packs.

What a typical memory triage finds

  • Hidden / unlinked processes (rootkits).
  • Injected DLLs / shellcode (Cobalt Strike beacons, Sliver implants).
  • Mimikatz-style credential artifacts.
  • Network connections to C2 not yet in NetFlow.
  • Decrypted strings / config blobs from dropped malware.
  • Browser cookies / sessions / decrypted password stores.

Pick this if…

  • Default Windows / Linux memory analysis: Volatility 3 + MemProcFS together.
  • Quick "browse memory like a disk": MemProcFS.
  • Acquire from running Windows: WinPMem or DumpIt.
  • Acquire from a VM: the hypervisor's vmem / sav / vmrs.
  • YARA-hunt memory: Loki, THOR, or vol3 yarascan.
  • Pull creds from a captured image: Volatility mimikatz plugin or hashdump.

On this page