Memory Forensics for Incident Response: Tools and Methodology Guide

The shift toward fileless and living-off-the-land techniques is not an accident of threat actor preference; it is a deliberate response to the improvement of file-based detection capabilities. As endpoint security tools became increasingly effective at detecting malicious executables through signature matching, behavioral analysis, and machine learning on file content, sophisticated attackers pivoted to techniques that deliver and execute payloads entirely within memory, using operating system features and legitimate tools rather than custom executables that can be scanned and flagged.

Living-off-the-land (LotL) attacks use native Windows binaries and scripting environments, including PowerShell, WMI, mshta.exe, certutil.exe, and rundll32.exe, to execute attacker-controlled code. Because these are legitimate, signed Microsoft binaries, signature-based detection cannot flag them as malicious; only behavioral analysis of what they are doing, which requires runtime observation, can detect abuse. Reflective DLL injection loads attacker-supplied DLLs into the address space of a legitimate process without writing the DLL to disk first, making the payload invisible to file-based scanners. Process hollowing creates a legitimate process in a suspended state, replaces its memory content with attacker shellcode, and resumes execution, resulting in a process that appears legitimate by name and signature but executes malicious code.

The types of evidence found exclusively in memory are extensive: decrypted payloads that a loader decrypted in memory but never wrote to disk, injected shellcode living in the memory space of a legitimate process, command-line arguments passed to processes that have since exited, network connections and DNS resolutions that occurred during the session, Kerberos tickets and NTLM hashes in LSASS memory, cleartext passwords for browser-stored credentials in Chrome or Firefox process memory, and registry key values loaded into memory that differ from their on-disk representation due to rootkit modification.

Memory forensics should be triggered in an IR workflow whenever the initial indicators suggest a sophisticated actor, when endpoint detection tools report process injection or in-memory execution, when a credentialed access event is suspected and disk analysis does not explain it, or when the timeline of infection cannot be reconstructed from disk artifacts alone. Building memory acquisition into IR playbooks as a standard step rather than an escalation option ensures that the decision to capture memory is made proactively during the first responder's arrival rather than after valuable volatile evidence has been lost to a reboot.

The order of volatility principle establishes that the most volatile evidence should be captured first, since it is most likely to be modified or lost. In digital forensics, RAM is at the top of the volatility hierarchy: it changes with every process execution, every network packet, and every user interaction, and it is completely destroyed by a system reboot or power cycle. CPU registers and cache are even more volatile but are impractical to capture in a forensic context; RAM is the practical starting point, followed by network state (active connections, ARP table, routing table), then running processes and open files, and finally disk content.

Acquisition tools for Windows include WinPmem (open source, outputs raw or AFF4 format), DumpIt (single executable, reliable on most Windows versions), Magnet RAM Capture (graphical interface, useful for field responders), and FTK Imager (includes memory acquisition alongside disk imaging, widely used in enterprise IR). All of these tools require administrator privileges and load a kernel driver to access physical memory pages; the driver itself modifies the memory image minimally by loading its own code. For this reason, acquire memory as early in the response process as possible, before running additional diagnostic tools that add more contamination.

Remote acquisition is preferable to on-site whenever the network path allows, because it minimizes physical access to the compromised system and reduces the risk of the attacker detecting the response activity through local process monitoring. Both WinPmem and DumpIt can be executed via remote administration tools like PSExec, Windows Remote Management, or endpoint management platforms, with output written to a network share on the investigation infrastructure. Verify that the network share path does not traverse the production network segment being investigated, to prevent introducing additional risk.

Acquiring memory from cloud VM instances requires platform-specific techniques. On AWS, Systems Manager Run Command can execute acquisition tools on a Windows or Linux instance and write output to S3; the equivalent on Azure is Azure Run Command. For Linux VMs in cloud environments, the LiME (Linux Memory Extractor) kernel module can be loaded via SSH or run command and used to dump memory to a file or network socket. Memory image formats include raw (a flat binary dump of physical memory in address order), LiME format (Linux-specific with a header), and AFF4 (a structured container format supporting compression and metadata). Volatility 3 can process raw and LiME format images natively; AFF4 images require conversion or the aff4-volatility plugin.

Volatility 3 is the current version of the Volatility memory forensics framework and represents a significant architectural improvement over Volatility 2. It is written in Python 3, uses type-based symbol tables rather than OS profiles for portability, and includes an improved plugin API that allows structured output piping between plugins. Installation requires Python 3.7 or later, the Volatility 3 repository from GitHub, and the dependencies listed in requirements.txt. Symbol tables for Windows analysis are downloaded automatically from Microsoft's symbol server on first use, or can be pre-downloaded and staged for offline environments by following the Volatility documentation.

The basic analysis workflow follows a consistent progression from system identification to process listing to network state to anomaly investigation. Begin with windows.info to confirm the OS version, build number, and basic system metadata, which also validates that the symbol tables loaded correctly. Follow with windows.pslist for a flat list of all processes with their PID, parent PID, creation time, and exit time (if applicable), then windows.pstree for the hierarchical parent-child view that makes anomalous process relationships visible at a glance. A PowerShell process spawned by a web server, a cmd.exe with a SYSTEM-level process as parent, or a legitimate process name running from an unexpected path are the types of anomalies that pstree surfaces immediately.

Essential plugins for initial triage are windows.cmdline (shows the full command line for each process, revealing encoded PowerShell payloads and unusual arguments), windows.netscan (enumerates current and recent network connections and sockets, including those from processes that have since exited), windows.malfind (identifies memory regions with read-write-execute permissions not backed by a mapped file, the primary indicator of injected shellcode), and windows.dlllist (lists loaded DLLs for a specified process, revealing injected DLLs that do not match the expected load list). Supplementary plugins include windows.handles (lists open handles for a process, useful for identifying accessed files and registry keys), windows.dumpfiles (extracts PE files or other files from memory to disk for further analysis with a disassembler or AV scanner), and windows.registry.hivelist with windows.registry.printkey for examining in-memory registry content.

A critical technique for detecting hidden processes is comparing the output of windows.pslist against windows.psscan. Windows.pslist walks the doubly-linked list of EPROCESS structures that the Windows kernel maintains; a rootkit can hide a process by unlinking it from this list. Windows.psscan scans physical memory for the EPROCESS structure pattern regardless of list membership, finding processes that have been unlinked from the active process list. Any process that appears in psscan output but not pslist output is hidden by a rootkit and requires immediate investigation. The reverse, a process appearing in pslist but not psscan, can indicate a very recently terminated process that was removed from the pool before the scan reached that memory address.

Process injection is the technique of loading and executing malicious code within the address space of a legitimate running process. It is used to evade process-based detection (the malicious code runs under a trusted process name), bypass application whitelisting (the host process is whitelisted), and avoid firewall rules (network connections appear to come from a trusted application). The major injection techniques each have characteristic memory artifacts that Volatility plugins can identify.

Classic DLL injection uses a sequence of VirtualAllocEx, WriteProcessMemory, and CreateRemoteThread API calls to allocate memory in the target process, write a DLL path into it, and create a remote thread that calls LoadLibrary with the injected path. The injected DLL appears in the target process's DLL list and is backed by a file on disk (the malicious DLL), making it visible to windows.dlllist. Reflective DLL injection uses a custom loader embedded in the DLL itself to map the DLL into memory without involving LoadLibrary or the Windows loader, resulting in memory regions that contain PE content but are not backed by a file in the standard module list. Process hollowing creates a legitimate process in PROCESS_CREATE_SUSPENDED state, unmaps its main executable from memory with NtUnmapViewOfSection, writes malicious code into the now-empty address space, and resumes the process; the process tree shows a legitimate process name but its memory content is replaced.

The windows.malfind plugin is the primary tool for identifying injected memory regions. It flags VAD (Virtual Address Descriptor) entries that have PAGE_EXECUTE_READWRITE permissions, that contain content starting with the MZ magic bytes indicating an embedded PE file, and that are not associated with a file-backed mapping. Because PAGE_EXECUTE_READWRITE is an unusual permission combination for legitimate code (normal PE sections are typically either executable or writable, not both), malfind catches a high proportion of injected shellcode and reflectively loaded DLLs. Not all malfind results are malicious: JIT compilers (Java, .NET, JavaScript engines) legitimately create executable writable memory regions, so filter these known-benign sources before investigating remaining hits.

Manual validation of malfind results involves examining the flagged memory region content using windows.memmap and windows.vadinfo for the specific process, confirming the presence of an MZ/PE header, and using windows.dumpfiles to extract the region for analysis with a disassembler or AV engine. For process hollowing, examining the VAD tree of a suspicious process with windows.vadinfo and comparing the base address of the main executable to the memory content at that address (which should match the legitimate executable but instead shows attacker shellcode) confirms the hollowing. The windows.pstree output provides the parent-child relationship context: a legitimate process created by an unusual parent is a strong secondary indicator of hollowing combined with suspicious memory content.

The Local Security Authority Subsystem Service (LSASS) is the primary target for credential theft on Windows systems because it maintains credentials for every interactively logged-on user in a format that tools like Mimikatz can extract. On systems without Credential Guard enabled, LSASS stores NTLM password hashes, Kerberos ticket-granting tickets (TGTs) and service tickets, and in some configurations (including older Windows versions with WDigest enabled), cleartext passwords. Accessing LSASS memory is the most reliable path to credential material for lateral movement, and it is among the most common techniques in modern intrusions.

Detecting Mimikatz execution and similar credential harvesting tools in memory involves several approaches. The most direct is examining the LSASS process's handle list with windows.handles; any external process holding a handle to LSASS with permissions including PROCESS_VM_READ is suspicious, since legitimate software rarely needs to read LSASS memory. If the Mimikatz process itself was running at the time of memory acquisition, it will appear in process listing output, though sophisticated operators rename the executable or use reflective loading to avoid a named process being visible. String searching in memory for known Mimikatz output strings, function names, or error messages can identify Mimikatz artifacts even when the process has exited.

Credential Guard, introduced in Windows 10 and Windows Server 2016, addresses LSASS dumping by running the credential storage portion (LSAIso) inside a virtualization-based security (VBS) enclave that even a process running as SYSTEM cannot access. With Credential Guard enabled, Mimikatz can still read the LSASS process but the credential material it finds is encrypted by the VBS enclave and cannot be decoded without access to the isolated environment. Deploying Credential Guard is one of the highest-impact single controls for reducing credential theft risk in Windows environments.

Kerberos ticket artifacts in memory are accessible through windows.cachedump and through third-party Volatility plugins that parse Kerberos ticket structures from LSASS memory. TGTs (Ticket-Granting Tickets) are particularly valuable to attackers because they can be used for Pass-the-Ticket attacks without knowing the account password. Cached domain credentials (the encrypted hashes stored locally to support domain authentication when a domain controller is unreachable) are stored in the registry under HKLM\Security\Cache and can be examined in memory using registry analysis plugins. Browser credential artifacts appear in the memory of the browser's main process or renderer processes: Chrome encrypts stored passwords using the DPAPI (Data Protection API), but the decryption key is accessible in browser process memory during an active session.

Memory forensics provides a network connection view that complements but differs from network log analysis. The windows.netscan plugin enumerates TCP and UDP endpoints by scanning memory for the data structures Windows uses to track socket state, including connections that may no longer appear in live network tool output because the connection has since closed or because a rootkit has removed it from the visible connection list. Connections in ESTABLISHED, TIME_WAIT, CLOSE_WAIT, and LISTEN states all appear in netscan output along with the owning process ID.

The most immediately valuable netscan output for IR purposes is established connections to external IP addresses from processes that have no legitimate reason for external connectivity. A svchost.exe instance connecting to an IP address in an unusual geographic region on port 443 deserves investigation, particularly if other svchost instances in the process listing do not have network connections. A legitimate process like notepad.exe or explorer.exe with an established connection is almost always indicative of process injection. Note the local port, remote IP, remote port, and PID for each suspicious connection, then cross-reference the PID against the process listing to confirm the process name and examine its cmdline and DLL list.

DNS resolution artifacts appear in memory in multiple locations: the Windows DNS client cache (accessible through windows.registry plugins targeting the DNSCache key), the process heap of the DNS client service, and the resolver cache in the browser or application process that initiated the lookup. Reconstructing the DNS queries a compromised system made during an intrusion from memory can reveal C2 domain names even when network logs are unavailable, because the DNS client caches responses for the duration of the TTL, and low-TTL C2 domains (a common technique to complicate blocklisting) often have entries in the cache from recent resolution.

Listening sockets in the LISTEN state visible in netscan output identify backdoors that an attacker installed to accept inbound connections. A process listening on an unusual high-numbered port or on a port that conflicts with its expected network role (a document viewer listening on a TCP port) is an immediate red flag. Comparing the listening socket list from the memory image against baseline documentation of expected listening services on the system type quickly surfaces anomalous listeners that represent implants or bind shells.

Correlating memory-derived network artifacts with firewall logs, proxy logs, and DNS logs from the network infrastructure creates a complete picture of C2 communication that neither data source alone can provide. Memory gives you the process-to-connection mapping that network logs lack; network logs give you the volume and timing of communication that memory cannot capture after the connections close. The combination is particularly powerful for characterizing beaconing behavior and estimating the duration of the compromise.

Linux memory forensics requires a different acquisition approach because Linux does not have a stable kernel-level interface for reading physical memory equivalent to Windows. The LiME (Linux Memory Extractor) kernel module is the standard acquisition tool: it is compiled as a loadable kernel module for the specific kernel version and configuration of the target system, loaded with insmod, and dumps memory to a file path or network socket. The requirement to compile for the specific kernel version means that pre-staging LiME modules for your common Linux distributions and kernel versions before an incident is important; compiling on the fly during an incident under time pressure with potential attacker observation is not ideal. On cloud Linux instances, the task is simplified by using the platform's run command capability to load a pre-staged module from a trusted S3 bucket or similar location.

Volatility 3 supports Linux memory analysis through its linux namespace of plugins, which require symbol files generated from the target system's kernel debug symbols. The equivalent of the Windows process analysis workflow on Linux uses linux.pslist (running processes), linux.pstree (process hierarchy), linux.netstat (network connections), linux.bash (reconstructed bash command history from process memory, which can recover commands even if the attacker cleared the bash history file), and linux.malfind for anomalous memory regions. Linux malware frequently uses LD_PRELOAD injection to intercept library calls by preloading a malicious shared library before the legitimate ones; this appears in memory as a shared library loaded by a process that has no corresponding entry in /proc/pid/maps backed by the expected library path.

MacOS memory forensics faces additional challenges introduced by Apple Silicon and T2 security chip hardware. Modern Macs with Apple Silicon running macOS in their default security configuration use Secure Boot and System Integrity Protection in ways that make kernel-level memory acquisition from user space impossible without disabling security features that Apple has made increasingly difficult to disable. Volatility does support macOS memory analysis with mac namespace plugins when an image can be obtained, but the acquisition problem on modern hardware is the primary constraint. Intel-based Macs without T2 chips remain more practical for memory forensics using traditional kernel extension approaches.

Container memory forensics involves acquiring memory from the host kernel (since containers share the host kernel on Linux), then using the process namespace and cgroup information in the memory image to identify which processes belong to which container. Docker container processes appear in the Linux process listing with their container ID visible through namespace inspection. Cloud workload memory forensics increasingly uses agent-based approaches where a security agent running inside the workload continuously captures process and memory metadata, providing forensic artifacts without requiring physical memory acquisition after the fact.