Back to Details

memory-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Memory Forensics

内存取证

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
适用于事件响应与恶意软件分析场景,从内存转储中采集、分析及提取取证工件的综合技术。

Use this skill when

适用场景

  • Working on memory forensics tasks or workflows
  • Needing guidance, best practices, or checklists for memory forensics
  • 处理内存取证任务或工作流
  • 需要获取内存取证相关的指导、最佳实践或检查清单

Do not use this skill when

不适用场景

  • The task is unrelated to memory forensics
  • You need a different domain or tool outside this scope
  • 任务与内存取证无关
  • 你需要使用本范围外的其他领域知识或工具

Instructions

使用说明

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open 
    resources/implementation-playbook.md
    .
  • 明确目标、约束条件和所需输入。
  • 应用相关最佳实践并验证输出结果。
  • 提供可落地的执行步骤和验证方法。
  • 如果需要详细示例,请打开 
    resources/implementation-playbook.md

Memory Acquisition

内存采集

Live Acquisition Tools

实时采集工具

Windows

Windows

powershell
undefined
powershell
undefined

WinPmem (Recommended)

WinPmem (Recommended)

winpmem_mini_x64.exe memory.raw
winpmem_mini_x64.exe memory.raw

DumpIt

DumpIt

DumpIt.exe
DumpIt.exe

Belkasoft RAM Capturer

Belkasoft RAM Capturer

GUI-based, outputs raw format

GUI-based, outputs raw format

Magnet RAM Capture

Magnet RAM Capture

GUI-based, outputs raw format

GUI-based, outputs raw format

undefined
undefined

Linux

Linux

bash
undefined
bash
undefined

LiME (Linux Memory Extractor)

LiME (Linux Memory Extractor)

sudo insmod lime.ko "path=/tmp/memory.lime format=lime"
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

/dev/mem (limited, requires permissions)

/dev/mem (limited, requires permissions)

sudo dd if=/dev/mem of=memory.raw bs=1M
sudo dd if=/dev/mem of=memory.raw bs=1M

/proc/kcore (ELF format)

/proc/kcore (ELF format)

sudo cp /proc/kcore memory.elf
undefined
sudo cp /proc/kcore memory.elf
undefined

macOS

macOS

bash
undefined
bash
undefined

osxpmem

osxpmem

sudo ./osxpmem -o memory.raw
sudo ./osxpmem -o memory.raw

MacQuisition (commercial)

MacQuisition (commercial)

undefined
undefined

Virtual Machine Memory

虚拟机内存

bash
undefined
bash
undefined

VMware: .vmem file is raw memory

VMware: .vmem file is raw memory

cp vm.vmem memory.raw
cp vm.vmem memory.raw

VirtualBox: Use debug console

VirtualBox: Use debug console

vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf
vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

QEMU

QEMU

virsh dump <domain> memory.raw --memory-only
virsh dump <domain> memory.raw --memory-only

Hyper-V

Hyper-V

Checkpoint contains memory state

Checkpoint contains memory state

undefined
undefined

Volatility 3 Framework

Volatility 3 框架

Installation and Setup

安装与配置

bash
undefined
bash
undefined

Install Volatility 3

Install Volatility 3

pip install volatility3
pip install volatility3

Install symbol tables (Windows)

Install symbol tables (Windows)

Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

Basic usage

Basic usage

vol -f memory.raw <plugin>
vol -f memory.raw <plugin>

With symbol path

With symbol path

vol -f memory.raw -s /path/to/symbols windows.pslist
undefined
vol -f memory.raw -s /path/to/symbols windows.pslist
undefined

Essential Plugins

核心插件

Process Analysis

进程分析

bash
undefined
bash
undefined

List processes

List processes

vol -f memory.raw windows.pslist
vol -f memory.raw windows.pslist

Process tree (parent-child relationships)

Process tree (parent-child relationships)

vol -f memory.raw windows.pstree
vol -f memory.raw windows.pstree

Hidden process detection

Hidden process detection

vol -f memory.raw windows.psscan
vol -f memory.raw windows.psscan

Process memory dumps

Process memory dumps

vol -f memory.raw windows.memmap --pid <PID> --dump
vol -f memory.raw windows.memmap --pid <PID> --dump

Process environment variables

Process environment variables

vol -f memory.raw windows.envars --pid <PID>
vol -f memory.raw windows.envars --pid <PID>

Command line arguments

Command line arguments

vol -f memory.raw windows.cmdline
undefined
vol -f memory.raw windows.cmdline
undefined

Network Analysis

网络分析

bash
undefined
bash
undefined

Network connections

Network connections

vol -f memory.raw windows.netscan
vol -f memory.raw windows.netscan

Network connection state

Network connection state

vol -f memory.raw windows.netstat
undefined
vol -f memory.raw windows.netstat
undefined

DLL and Module Analysis

DLL 与模块分析

bash
undefined
bash
undefined

Loaded DLLs per process

Loaded DLLs per process

vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID>

Find hidden/injected DLLs

Find hidden/injected DLLs

vol -f memory.raw windows.ldrmodules
vol -f memory.raw windows.ldrmodules

Kernel modules

Kernel modules

vol -f memory.raw windows.modules
vol -f memory.raw windows.modules

Module dumps

Module dumps

vol -f memory.raw windows.moddump --pid <PID>
undefined
vol -f memory.raw windows.moddump --pid <PID>
undefined

Memory Injection Detection

内存注入检测

bash
undefined
bash
undefined

Detect code injection

Detect code injection

vol -f memory.raw windows.malfind
vol -f memory.raw windows.malfind

VAD (Virtual Address Descriptor) analysis

VAD (Virtual Address Descriptor) analysis

vol -f memory.raw windows.vadinfo --pid <PID>
vol -f memory.raw windows.vadinfo --pid <PID>

Dump suspicious memory regions

Dump suspicious memory regions

vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
undefined
vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
undefined

Registry Analysis

注册表分析

bash
undefined
bash
undefined

List registry hives

List registry hives

vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.registry.hivelist

Print registry key

Print registry key

vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

Dump registry hive

Dump registry hive

vol -f memory.raw windows.registry.hivescan --dump
undefined
vol -f memory.raw windows.registry.hivescan --dump
undefined

File System Artifacts

文件系统痕迹

bash
undefined
bash
undefined

Scan for file objects

Scan for file objects

vol -f memory.raw windows.filescan
vol -f memory.raw windows.filescan

Dump files from memory

Dump files from memory

vol -f memory.raw windows.dumpfiles --pid <PID>
vol -f memory.raw windows.dumpfiles --pid <PID>

MFT analysis

MFT analysis

vol -f memory.raw windows.mftscan
undefined
vol -f memory.raw windows.mftscan
undefined

Linux Analysis

Linux 分析

bash
undefined
bash
undefined

Process listing

Process listing

vol -f memory.raw linux.pslist
vol -f memory.raw linux.pslist

Process tree

Process tree

vol -f memory.raw linux.pstree
vol -f memory.raw linux.pstree

Bash history

Bash history

vol -f memory.raw linux.bash
vol -f memory.raw linux.bash

Network connections

Network connections

vol -f memory.raw linux.sockstat
vol -f memory.raw linux.sockstat

Loaded kernel modules

Loaded kernel modules

vol -f memory.raw linux.lsmod
vol -f memory.raw linux.lsmod

Mount points

Mount points

vol -f memory.raw linux.mount
vol -f memory.raw linux.mount

Environment variables

Environment variables

vol -f memory.raw linux.envars
undefined
vol -f memory.raw linux.envars
undefined

macOS Analysis

macOS 分析

bash
undefined
bash
undefined

Process listing

Process listing

vol -f memory.raw mac.pslist
vol -f memory.raw mac.pslist

Process tree

Process tree

vol -f memory.raw mac.pstree
vol -f memory.raw mac.pstree

Network connections

Network connections

vol -f memory.raw mac.netstat
vol -f memory.raw mac.netstat

Kernel extensions

Kernel extensions

vol -f memory.raw mac.lsmod
undefined
vol -f memory.raw mac.lsmod
undefined

Analysis Workflows

分析工作流

Malware Analysis Workflow

恶意软件分析工作流

bash
undefined
bash
undefined

1. Initial process survey

1. Initial process survey

vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt
vol -f memory.raw windows.pstree > processes.txt vol -f memory.raw windows.pslist > pslist.txt

2. Network connections

2. Network connections

vol -f memory.raw windows.netscan > network.txt
vol -f memory.raw windows.netscan > network.txt

3. Detect injection

3. Detect injection

vol -f memory.raw windows.malfind > malfind.txt
vol -f memory.raw windows.malfind > malfind.txt

4. Analyze suspicious processes

4. Analyze suspicious processes

vol -f memory.raw windows.dlllist --pid <PID> vol -f memory.raw windows.handles --pid <PID>
vol -f memory.raw windows.dlllist --pid <PID> vol -f memory.raw windows.handles --pid <PID>

5. Dump suspicious executables

5. Dump suspicious executables

vol -f memory.raw windows.pslist --pid <PID> --dump
vol -f memory.raw windows.pslist --pid <PID> --dump

6. Extract strings from dumps

6. Extract strings from dumps

strings -a pid.<PID>.exe > strings.txt
strings -a pid.<PID>.exe > strings.txt

7. YARA scanning

7. YARA scanning

vol -f memory.raw windows.yarascan --yara-rules malware.yar
undefined
vol -f memory.raw windows.yarascan --yara-rules malware.yar
undefined

Incident Response Workflow

事件响应工作流

bash
undefined
bash
undefined

1. Timeline of events

1. Timeline of events

vol -f memory.raw windows.timeliner > timeline.csv
vol -f memory.raw windows.timeliner > timeline.csv

2. User activity

2. User activity

vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles
vol -f memory.raw windows.cmdline vol -f memory.raw windows.consoles

3. Persistence mechanisms

3. Persistence mechanisms

vol -f memory.raw windows.registry.printkey
--key "Software\Microsoft\Windows\CurrentVersion\Run"
vol -f memory.raw windows.registry.printkey
--key "Software\Microsoft\Windows\CurrentVersion\Run"

4. Services

4. Services

vol -f memory.raw windows.svcscan
vol -f memory.raw windows.svcscan

5. Scheduled tasks

5. Scheduled tasks

vol -f memory.raw windows.scheduled_tasks
vol -f memory.raw windows.scheduled_tasks

6. Recent files

6. Recent files

vol -f memory.raw windows.filescan | grep -i "recent"
undefined
vol -f memory.raw windows.filescan | grep -i "recent"
undefined

Data Structures

数据结构

Windows Process Structures

Windows 进程结构

c
// EPROCESS (Executive Process)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // Kernel process block
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // Process Environment Block
    // ...
} EPROCESS;

// PEB (Process Environment Block)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // Anti-debug check
    // ...
    PVOID ImageBaseAddress;          // Base address of executable
    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;
c
// EPROCESS (Executive Process)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // Kernel process block
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // Process Environment Block
    // ...
} EPROCESS;

// PEB (Process Environment Block)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // Anti-debug check
    // ...
    PVOID ImageBaseAddress;          // Base address of executable
    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;

VAD (Virtual Address Descriptor)

VAD(虚拟地址描述符)

c
typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// Memory protection flags
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80
c
typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// Memory protection flags
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80

Detection Patterns

检测模式

Process Injection Indicators

进程注入指标

python
undefined
python
undefined

Malfind indicators

Malfind indicators

- PAGE_EXECUTE_READWRITE protection (suspicious)

- PAGE_EXECUTE_READWRITE protection (suspicious)

- MZ header in non-image VAD region

- MZ header in non-image VAD region

- Shellcode patterns at allocation start

- Shellcode patterns at allocation start

Common injection techniques

Common injection techniques

1. Classic DLL Injection

1. Classic DLL Injection

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

- VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

2. Process Hollowing

2. Process Hollowing

- CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

- CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

3. APC Injection

3. APC Injection

- QueueUserAPC targeting alertable threads

- QueueUserAPC targeting alertable threads

4. Thread Execution Hijacking

4. Thread Execution Hijacking

- SuspendThread + SetThreadContext + ResumeThread

- SuspendThread + SetThreadContext + ResumeThread

undefined
undefined

Rootkit Detection

Rootkit 检测

bash
undefined
bash
undefined

Compare process lists

Compare process lists

vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # Hidden processes
vol -f memory.raw windows.pslist > pslist.txt vol -f memory.raw windows.psscan > psscan.txt diff pslist.txt psscan.txt # Hidden processes

Check for DKOM (Direct Kernel Object Manipulation)

Check for DKOM (Direct Kernel Object Manipulation)

vol -f memory.raw windows.callbacks
vol -f memory.raw windows.callbacks

Detect hooked functions

Detect hooked functions

vol -f memory.raw windows.ssdt # System Service Descriptor Table
vol -f memory.raw windows.ssdt # System Service Descriptor Table

Driver analysis

Driver analysis

vol -f memory.raw windows.driverscan vol -f memory.raw windows.driverirp
undefined
vol -f memory.raw windows.driverscan vol -f memory.raw windows.driverirp
undefined

Credential Extraction

凭证提取

bash
undefined
bash
undefined

Dump hashes (requires hivelist first)

Dump hashes (requires hivelist first)

vol -f memory.raw windows.hashdump
vol -f memory.raw windows.hashdump

LSA secrets

LSA secrets

vol -f memory.raw windows.lsadump
vol -f memory.raw windows.lsadump

Cached domain credentials

Cached domain credentials

vol -f memory.raw windows.cachedump
vol -f memory.raw windows.cachedump

Mimikatz-style extraction

Mimikatz-style extraction

Requires specific plugins/tools

Requires specific plugins/tools

undefined
undefined

YARA Integration

YARA 集成

Writing Memory YARA Rules

编写内存 YARA 规则

yara
rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}
yara
rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}

Scanning Memory

内存扫描

bash
undefined
bash
undefined

Scan all process memory

Scan all process memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar
vol -f memory.raw windows.yarascan --yara-rules rules.yar

Scan specific process

Scan specific process

vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234
vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

Scan kernel memory

Scan kernel memory

vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
undefined
vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel
undefined

String Analysis

字符串分析

Extracting Strings

字符串提取

bash
undefined
bash
undefined

Basic string extraction

Basic string extraction

strings -a memory.raw > all_strings.txt
strings -a memory.raw > all_strings.txt

Unicode strings

Unicode strings

strings -el memory.raw >> all_strings.txt
strings -el memory.raw >> all_strings.txt

Targeted extraction from process dump

Targeted extraction from process dump

vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt
vol -f memory.raw windows.memmap --pid 1234 --dump strings -a pid.1234.dmp > process_strings.txt

Pattern matching

Pattern matching

grep -E "(https?://|[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" all_strings.txt
undefined
grep -E "(https?://|[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})" all_strings.txt
undefined

FLOSS for Obfuscated Strings

FLOSS 混淆字符串提取

bash
undefined
bash
undefined

FLOSS extracts obfuscated strings

FLOSS extracts obfuscated strings

floss malware.exe > floss_output.txt
floss malware.exe > floss_output.txt

From memory dump

From memory dump

floss pid.1234.dmp
undefined
floss pid.1234.dmp
undefined

Best Practices

最佳实践

Acquisition Best Practices

采集最佳实践

  1. Minimize footprint: Use lightweight acquisition tools
  2. Document everything: Record time, tool, and hash of capture
  3. Verify integrity: Hash memory dump immediately after capture
  4. Chain of custody: Maintain proper forensic handling
  1. 最小化操作痕迹:使用轻量级采集工具
  2. 全流程记录:记录采集时间、使用工具、采集文件的哈希值
  3. 完整性校验:采集完成后立即计算内存转储的哈希值
  4. 监管链维护:遵循规范的取证处理流程

Analysis Best Practices

分析最佳实践

  1. Start broad: Get overview before deep diving
  2. Cross-reference: Use multiple plugins for same data
  3. Timeline correlation: Correlate memory findings with disk/network
  4. Document findings: Keep detailed notes and screenshots
  5. Validate results: Verify findings through multiple methods
  1. 从全局到细节:先获取整体概览再深入分析细节
  2. 交叉验证:使用多个插件验证同一类数据
  3. 时间线关联:将内存分析结果与磁盘、网络数据关联校验
  4. 留存记录:保存详细的分析笔记和截图
  5. 多方法验证:通过多种方式验证分析结论

Common Pitfalls

常见误区

  • Stale data: Memory is volatile, analyze promptly
  • Incomplete dumps: Verify dump size matches expected RAM
  • Symbol issues: Ensure correct symbol files for OS version
  • Smear: Memory may change during acquisition
  • Encryption: Some data may be encrypted in memory
  • 数据失效:内存为易失性存储,需尽快完成分析
  • 转储不完整:校验转储文件大小是否与预期内存大小匹配
  • 符号文件异常:确保使用与操作系统版本匹配的正确符号文件
  • 采集污染:采集过程中内存内容可能发生动态变化
  • 加密问题:内存中部分数据可能已被加密