Lab Progress
0%0 / 12 steps
LabsForensics › L13
LAB L13 · DIGITAL FORENSICS · INTERMEDIATE

Memory Forensics with Volatility

Analyze a Windows memory dump using Volatility 3 on SIFT Workstation. Extract running processes, network connections, injected shellcode, registry artifacts, and use AI to identify malware families and map to ATT&CK.

90 min
🖥️ SIFT Workstation
🔧 Volatility 3 · Python · vol.py
🤖 AI Forensics Analysis
🔬 Lab Scenario

A workstation was behaving strangely — high CPU, unusual outbound connections. The endpoint was isolated and a memory dump taken before shutdown. You have the raw memory image and need to determine what was running, what network connections were active, and whether malware was present — all without booting the system.

0
Phase 0 — Setup & Memory Acquisition
Get your memory image and verify Volatility is ready
Install Volatility 3 and download a practice memory image
Volatility 3 works on Python 3 and doesn't require profile selection
# Volatility 3 is pre-installed on SIFT, or install manually:
pip3 install volatility3

# Download practice images from volatility's own test suite:
mkdir -p ~/labs/L13 && cd ~/labs/L13
# Option 1: Volatility Foundation sample images
wget "https://downloads.volatilityfoundation.org/security/2014/cridex.raw.gz" -O cridex.raw.gz && gunzip cridex.raw.gz
# Option 2: Digital Corpora (requires registration)
# Option 3: Use a memory dump you created from your own lab VM
Verify image integrity and identify OS
Always hash evidence files — chain of custody starts here
sha256sum cridex.raw | tee hash_log.txt
# Volatility 3 auto-detects OS — no profile needed
python3 -m volatility3 -f cridex.raw windows.info.Info
1
Phase 1 — Process & Network Analysis
Map what was running and what was communicating
List processes and build the process tree
Spot anomalous parents, hidden processes, and masquerading
python3 -m volatility3 -f cridex.raw windows.pslist.PsList | tee pslist.txt
python3 -m volatility3 -f cridex.raw windows.pstree.PsTree | tee pstree.txt
python3 -m volatility3 -f cridex.raw windows.cmdline.CmdLine | tee cmdline.txt
# Look for: svchost without parent services.exe, explorer spawning cmd, random names
🤖 AI Analyst

Paste your pslist and pstree output. The AI will flag processes with suspicious parents, unusual names, wrong image paths, or characteristics of known malware families.

Analyze network connections
Find active C2 channels and listening backdoor ports
python3 -m volatility3 -f cridex.raw windows.netscan.NetScan | tee netscan.txt
python3 -m volatility3 -f cridex.raw windows.netstat.NetStat | tee netstat.txt
# Look for: ESTABLISHED connections to external IPs, unusual ports, processes not normally networked
🤖 AI Analyst

Paste your netscan output including all external connections. The AI will identify potential C2 IPs, explain why certain process→network combinations are suspicious, and suggest threat intel lookups.

Extract DLLs and loaded modules for a suspicious process
See exactly what code a process has loaded
# Replace 1484 with the PID of your suspicious process
python3 -m volatility3 -f cridex.raw windows.dlllist.DllList --pid 1484 | tee dlllist_1484.txt
python3 -m volatility3 -f cridex.raw windows.handles.Handles --pid 1484 | tee handles_1484.txt
2
Phase 2 — Malware Detection
Find injected code, hollowed processes, and rootkit artifacts
Scan for code injection with malfind
Malfind identifies memory regions with suspicious characteristics
Malfind looks for memory regions that are: executable, not backed by a file on disk, and contain code (PE headers or shellcode patterns).
python3 -m volatility3 -f cridex.raw windows.malfind.Malfind | tee malfind.txt
python3 -m volatility3 -f cridex.raw windows.malfind.Malfind --dump --dump-dir ./dumps/
# Hash the dumps for VirusTotal lookup
md5sum ./dumps/*.dmp 2>/dev/null
🤖 AI Analyst

Paste your malfind output (especially the hex dump sections). The AI will identify shellcode patterns, PE artifacts, and known malware injection signatures.

Analyze registry artifacts in memory
Find persistence keys without mounting a disk image
python3 -m volatility3 -f cridex.raw windows.registry.hivelist.HiveList | tee hivelist.txt
python3 -m volatility3 -f cridex.raw windows.registry.printkey.PrintKey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run" | tee run_keys.txt
python3 -m volatility3 -f cridex.raw windows.registry.printkey.PrintKey --key "SYSTEM\CurrentControlSet\Services" | tee services.txt
Extract strings from a suspicious process memory
Find URLs, IPs, and configuration data embedded in process memory
python3 -m volatility3 -f cridex.raw windows.memmap.Memmap --pid 1484 --dump --dump-dir ./dumps/
strings ./dumps/pid.1484.dmp | grep -iE "(http|ftp|\.exe|\.dll|HKEY|192\.168|10\.|password|cmd\.exe)" | sort -u | tee strings_1484.txt
🤖 AI Analyst

Paste the interesting strings extracted from the suspicious process. The AI will identify C2 domains, configuration data, malware family indicators, and extract actionable IOCs.

3
Phase 3 — AI Synthesis & Reporting
Compile findings into a forensic analysis report
Identify the malware family
Use all gathered evidence to fingerprint the malware
🤖 AI Analyst — Malware Identification

Share: suspicious process names and PIDs, network connections (IPs/domains), strings found in memory, injection artifacts from malfind, and registry persistence keys. The AI will identify the probable malware family and explain the evidence.

Map to MITRE ATT&CK
Document techniques observed for threat intel and detection
🤖 AI Analyst

List all malware behaviors observed (process injection, persistence, C2, credential access). The AI will map each to ATT&CK technique IDs and suggest detection opportunities.

Generate YARA rule from memory artifacts
Create a detection rule from the unique strings and patterns you found
🤖 AI Analyst

Share the unique strings, byte patterns from malfind, and process characteristics. The AI will write a YARA rule to detect this malware family in memory dumps or on disk.

Lab complete — write the forensic analysis report
Document your methodology and findings
✅ Memory image hashed and verified
✅ Process list analyzed — suspicious processes flagged
✅ Network connections mapped — C2 identified
✅ Malfind ran — injected code located
✅ Registry persistence keys extracted
✅ Process strings analyzed for IOCs
✅ Malware family identified
✅ ATT&CK mapping completed
✅ YARA rule generated
🤖 AI Analyst

Share all your findings and the AI will draft a complete memory forensics report.

Next: Lab L14 — Disk Forensics & Timeline Analysis

Move from memory to disk — forensic imaging, Autopsy, and super-timeline creation.

Start L14 →
🤖
CyberSec AI Analyst
L13 — Memory Forensics Mode
Lab Context: Memory forensics using Volatility 3 on SIFT Workstation. Analyzing Windows memory images for malware, C2, injection, and persistence artifacts.

→ Connect AI Analyst — add your Claude API key

Forensics Actions