performing-memory-forensics-with-volatility3

Included with Lifetime

$97 forever

Analyze volatile memory dumps using Volatility 3 to extract running processes, network connections, loaded modules, and evidence of malicious activity.

Generalforensicsmemory-forensicsvolatilityram-analysismalware-detectionincident-responsescripts

What this skill does


# Performing Memory Forensics with Volatility 3

## When to Use
- When analyzing a RAM dump from a compromised or suspect system
- During incident response to identify running malware, injected code, or rootkits
- When you need to extract credentials, encryption keys, or network connections from memory
- For detecting process hollowing, DLL injection, or hidden processes
- When disk-based forensics alone is insufficient and volatile data is critical

## Prerequisites
- Python 3.7+ installed
- Volatility 3 framework installed (`pip install volatility3`)
- Memory dump in raw, ELF, or crash dump format
- Appropriate symbol tables (ISF files) for the target OS version
- Sufficient disk space for analysis output (2-3x memory dump size)
- Optional: YARA rules for malware scanning in memory

## Workflow

### Step 1: Acquire Memory Dump and Install Volatility 3

```bash
# Install Volatility 3
pip install volatility3

# Or install from source for latest features
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip install -e .

# Download Windows symbol tables (ISF packs)
# Place in volatility3/symbols/ directory
wget https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip
unzip windows.zip -d /opt/volatility3/volatility3/symbols/

# Download Linux and Mac symbol packs
wget https://downloads.volatilityfoundation.org/volatility3/symbols/linux.zip
wget https://downloads.volatilityfoundation.org/volatility3/symbols/mac.zip

# Memory acquisition tools (for live systems):
# Windows: winpmem, DumpIt, FTK Imager
# Linux: LiME (Linux Memory Extractor)
sudo insmod lime-$(uname -r).ko "path=/cases/memory/linux_mem.lime format=lime"

# Verify the memory dump
file /cases/case-2024-001/memory/memory.raw
ls -lh /cases/case-2024-001/memory/memory.raw
```

### Step 2: Identify the Operating System Profile

```bash
# Run banners plugin to identify the OS
vol -f /cases/case-2024-001/memory/memory.raw banners

# For Windows, identify the OS version
vol -f /cases/case-2024-001/memory/memory.raw windows.info

# Output example:
# Variable        Value
# Kernel Base     0xf8047e200000
# DTB             0x1ad000
# Symbols         ntkrnlmp.pdb/GUID
# Is64Bit         True
# IsPAE           False
# primary layer   Intel32e
# KdVersionBlock  0xf8047ee232c0
# Major/Minor     15.19041
# Machine Type    34404
# KeNumberProcessors 4
# SystemTime      2024-01-18 14:32:15 UTC
# NtBuildLab      19041.1.amd64fre.vb_release.191206-1406
# NtProductType   NtProductWinNt
# NtSystemRoot    C:\WINDOWS
# PE MajorOperatingSystemVersion 10
# PE MinorOperatingSystemVersion 0

# For Linux memory dumps
vol -f /cases/case-2024-001/memory/linux_mem.lime linux.info
```

### Step 3: Enumerate Processes and Detect Anomalies

```bash
# List all running processes
vol -f /cases/case-2024-001/memory/memory.raw windows.pslist | tee /cases/case-2024-001/analysis/pslist.txt

# Show process tree (parent-child relationships)
vol -f /cases/case-2024-001/memory/memory.raw windows.pstree | tee /cases/case-2024-001/analysis/pstree.txt

# Detect hidden processes using cross-view analysis
vol -f /cases/case-2024-001/memory/memory.raw windows.psscan | tee /cases/case-2024-001/analysis/psscan.txt

# Compare pslist vs psscan to find hidden processes
diff <(vol -f memory.raw windows.pslist | awk '{print $1}' | sort) \
     <(vol -f memory.raw windows.psscan | awk '{print $1}' | sort)

# List DLLs loaded by a suspicious process (PID 4532)
vol -f /cases/case-2024-001/memory/memory.raw windows.dlllist --pid 4532

# Check for process hollowing and injection
vol -f /cases/case-2024-001/memory/memory.raw windows.malfind | tee /cases/case-2024-001/analysis/malfind.txt

# Dump suspicious process memory for further analysis
vol -f /cases/case-2024-001/memory/memory.raw windows.memmap --pid 4532 --dump \
   -o /cases/case-2024-001/analysis/dumps/
```

### Step 4: Analyze Network Connections and Registry

```bash
# List active network connections
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | tee /cases/case-2024-001/analysis/netscan.txt

# Filter for established connections
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | grep ESTABLISHED

# Filter for listening ports
vol -f /cases/case-2024-001/memory/memory.raw windows.netscan | grep LISTENING

# Extract network connections with process mapping
vol -f /cases/case-2024-001/memory/memory.raw windows.netstat | tee /cases/case-2024-001/analysis/netstat.txt

# Dump registry hives from memory
vol -f /cases/case-2024-001/memory/memory.raw windows.registry.hivelist

# Extract specific registry keys
vol -f /cases/case-2024-001/memory/memory.raw windows.registry.printkey \
   --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Check services
vol -f /cases/case-2024-001/memory/memory.raw windows.svcscan | tee /cases/case-2024-001/analysis/services.txt
```

### Step 5: Extract Credentials and Sensitive Data

```bash
# Dump cached credentials (hashdump)
vol -f /cases/case-2024-001/memory/memory.raw windows.hashdump | tee /cases/case-2024-001/analysis/hashes.txt

# Extract LSA secrets
vol -f /cases/case-2024-001/memory/memory.raw windows.lsadump

# Dump cached domain credentials
vol -f /cases/case-2024-001/memory/memory.raw windows.cachedump

# Search for plaintext strings in process memory
vol -f /cases/case-2024-001/memory/memory.raw windows.strings --pid 4532 \
   | grep -iE '(password|credential|token|api.key)'

# Extract command history from cmd.exe/powershell
vol -f /cases/case-2024-001/memory/memory.raw windows.cmdline | tee /cases/case-2024-001/analysis/cmdline.txt

# Extract environment variables
vol -f /cases/case-2024-001/memory/memory.raw windows.envars --pid 4532
```

### Step 6: Scan for Malware with YARA Rules

```bash
# Scan memory with YARA rules
vol -f /cases/case-2024-001/memory/memory.raw yarascan \
   --yara-file /opt/yara-rules/malware_index.yar | tee /cases/case-2024-001/analysis/yara_hits.txt

# Scan specific process memory
vol -f /cases/case-2024-001/memory/memory.raw yarascan \
   --yara-file /opt/yara-rules/apt_rules.yar --pid 4532

# Check loaded kernel modules for rootkits
vol -f /cases/case-2024-001/memory/memory.raw windows.modules | tee /cases/case-2024-001/analysis/modules.txt

# Detect unlinked/hidden modules
vol -f /cases/case-2024-001/memory/memory.raw windows.modscan | tee /cases/case-2024-001/analysis/modscan.txt

# Check for SSDT hooks (System Service Descriptor Table)
vol -f /cases/case-2024-001/memory/memory.raw windows.ssdt | grep -v "ntoskrnl\|win32k"

# Dump a suspicious executable from memory
vol -f /cases/case-2024-001/memory/memory.raw windows.dumpfiles --pid 4532 \
   -o /cases/case-2024-001/analysis/extracted/
```

### Step 7: Compile Findings into a Report

```bash
# Generate comprehensive analysis summary
echo "=== MEMORY FORENSICS REPORT ===" > /cases/case-2024-001/analysis/memory_report.txt
echo "Image: memory.raw" >> /cases/case-2024-001/analysis/memory_report.txt
echo "OS: Windows 10 Build 19041" >> /cases/case-2024-001/analysis/memory_report.txt
echo "" >> /cases/case-2024-001/analysis/memory_report.txt

echo "--- Suspicious Processes ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/malfind.txt >> /cases/case-2024-001/analysis/memory_report.txt

echo "--- Network Connections ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/netscan.txt >> /cases/case-2024-001/analysis/memory_report.txt

echo "--- YARA Matches ---" >> /cases/case-2024-001/analysis/memory_report.txt
cat /cases/case-2024-001/analysis/yara_hits.txt >> /cases/case-2024-001/analysis/memory_report.txt

# Calculate hash of the memory dump for integrity
sha256sum /cases/case-2024-001/memory/memory.raw >> /cases/case-2024-001/analysis/memory_report.txt
```

## Key Concepts

| Concept | Description |
|---------|-------------|
| Volatile data | Information that exists only in RAM and is lost when power is removed |
| Proce

Files: 5

Size: 32.1 KB

Complexity: 66/100

Category: General

Source: https://github.com/mukul975/anthropic-cybersecurity-skills/tree/main/skills/performing-memory-forensics-with-volatility3

Related in General

modeling-omnistudio-epc-catalog

Included

Salesforce Industries CME EPC product-modeling skill for Product2-based catalog creation. Use when creating EPC products, configuring product attributes, building offer bundles with Product Child Items, or reviewing EPC DataPack JSON metadata for product catalog changes. TRIGGER when: user creates or updates Product2 EPC records, AttributeAssignment payloads, AttributeMetadata/AttributeDefaultValues, Offer bundles, or ProductChildItem relationships. DO NOT TRIGGER when: designing OmniScripts/FlexCards/Integration Procedures (use building-omnistudio-omniscript, building-omnistudio-flexcard, or building-omnistudio-integration-procedure), implementing Apex business logic (use generating-apex), or troubleshooting deployment pipelines (use deploying-metadata).

Generalscripts

relationship-science-coach

Included

Use this skill for direct, practical adult relationship coaching: couples conflict, repair, trust, marriage, dating, flirting, attachment patterns, emotional connection, sex, desire differences, eroticism, kink negotiation, affection, love languages, breakups, and long-term passion. Draw on Gottman, EFT and Hold Me Tight, attachment science, modern sex research, Perel, Nagoski, Kerner, Schnarch, Love and Stosny, and flexible love-language tools. Be concrete and low-hedge. Redirect only for imminent danger, abuse, coercive control, minors, non-consent, self-harm, stalking, or medical/legal/psychiatric decisions.

Generalscripts

building-sf-integrations

Included

Salesforce integration architecture and runtime plumbing with 120-point scoring. Use this skill to set up Named Credentials, External Credentials, External Services, REST/SOAP callout patterns, Platform Events, and Change Data Capture. TRIGGER when: user sets up Named Credentials, External Services, REST/SOAP callouts, Platform Events, CDC, or touches .namedCredential-meta.xml files. DO NOT TRIGGER when: Connected App/OAuth config (use configuring-connected-apps), Apex-only logic (use generating-apex), or data import/export (use handling-sf-data).

Generalscripts

venue-templates

Included

Access comprehensive LaTeX templates, formatting requirements, and submission guidelines for major scientific publication venues (Nature, Science, PLOS, IEEE, ACM), academic conferences (NeurIPS, ICML, CVPR, CHI), research posters, and grant proposals (NSF, NIH, DOE, DARPA). This skill should be used when preparing manuscripts for journal submission, conference papers, research posters, or grant proposals and need venue-specific formatting requirements and templates.

Generalscripts

let-fate-decide

Included

Draws the 12 Houses of the Zodiac Tarot spread to inject entropy into planning when prompts are vague, ambiguous, or casually delegated. Interprets the spread to guide next steps. Use when the user says 'let fate decide', 'YOLO', 'whatever', 'idk', or other nonchalant phrases, makes Yu-Gi-Oh references, or when you are about to arbitrarily pick between multiple reasonable approaches. Prefer over ask-questions-if-underspecified when the user's tone is casual or playful rather than precision-seeking.

Generalscripts

net-ops

Included

Cross-platform network troubleshooting (Windows, macOS, Linux) via local or remote shell. Use for: DNS broken, can't resolve hostnames, nslookup/dig works but apps fail, NRPT, WFP, scutil, /etc/resolver, systemd-resolved, /etc/resolv.conf, NetworkManager, VPN DNS leak residue (ProtonVPN/Mullvad/WireGuard/AnyConnect), AV/firewall blocking DNS or DoH, Tailscale DNS interaction, intermittent connectivity, remote diagnostics over SSH.

Generalscripts