Memory Analysis with Volatility

Volatility Framework is the de facto standard for memory forensics:

Basic Volatility Commands:

# Identify memory image profile
volatility -f memory.dmp imageinfo

# List running processes
volatility -f memory.dmp --profile=Win7SP1x64 pslist

# Show process tree
volatility -f memory.dmp --profile=Win7SP1x64 pstree

# Display network connections
volatility -f memory.dmp --profile=Win7SP1x64 netscan

# Extract registry hives
volatility -f memory.dmp --profile=Win7SP1x64 hivelist

Advanced Analysis Techniques:

Process Hollowing Detection:

# Compare process executables in memory vs disk
volatility -f memory.dmp --profile=Win7SP1x64 procdump -p [PID] -D output/
# Compare with on-disk executable

Hidden Process Detection:

# Cross-reference multiple process listings
volatility -f memory.dmp --profile=Win7SP1x64 psxview

Malware Behavior Analysis:

# Check for code injection
volatility -f memory.dmp --profile=Win7SP1x64 malfind

# Identify suspicious drivers
volatility -f memory.dmp --profile=Win7SP1x64 modscan