Memory Forensics with Volatility 3
Memory forensics is one of the most powerful techniques in the DFIR analyst's arsenal. RAM contains runtime state that never touches disk — active processes, network connections, encryption keys, and decrypted malware payloads.
Prerequisites
- Linux or Windows machine
- Python 3.8+
- A memory dump (
.dmp,.raw,.vmem)
Installation
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
python3 setup.py install
Verify installation:
python3 vol.py --version
Step 1: Identify the OS Profile
python3 vol.py -f memory.dmp windows.info
This gives you the OS build, kernel, and architecture — critical for understanding what plugins to use.
Step 2: List Processes
# Standard process list
python3 vol.py -f memory.dmp windows.pslist
# Process tree (parent-child relationships)
python3 vol.py -f memory.dmp windows.pstree
# Detect hidden processes (hollowing, injection)
python3 vol.py -f memory.dmp windows.psscan
Tip: Compare
pslistvspsscanoutput. Discrepancies often indicate process hiding via DKOM (Direct Kernel Object Manipulation).
Step 3: Analyze Command Lines
python3 vol.py -f memory.dmp windows.cmdline
Look for:
powershell -enc(base64 encoded commands)cmd /cchains- Unusual parent-child combos like
Word.exe → cmd.exe
Step 4: Network Connections
python3 vol.py -f memory.dmp windows.netstat
What to look for:
| Indicator | Suspicion |
|---|---|
| Unusual port (4444, 1337, 8888) | Reverse shells |
ESTABLISHED to foreign IP |
Active C2 |
Process = svchost.exe connecting out |
Rare, suspicious |
Step 5: DLL and Module Analysis
# List loaded DLLs for a specific process
python3 vol.py -f memory.dmp windows.dlllist --pid 1234
# Detect injected code
python3 vol.py -f memory.dmp windows.malfind
malfind searches for memory regions with PAGE_EXECUTE_READWRITE permissions that contain PE headers — a classic sign of process injection.
Step 6: Extract Files
# Dump files referenced in memory
python3 vol.py -f memory.dmp windows.dumpfiles --pid 1234
# Dump a specific process executable
python3 vol.py -f memory.dmp windows.pslist --pid 1234 --dump
Take extracted files and submit to VirusTotal or analyze with Ghidra/IDA.
Common Investigation Workflow
1. windows.info → Identify OS
2. windows.pstree → Understand process hierarchy
3. windows.psscan → Find hidden processes
4. windows.cmdline → Extract command lines
5. windows.netstat → Find network activity
6. windows.malfind → Locate injected code
7. windows.dumpfiles → Extract suspicious files