Awesome Memory Forensics

A curated list of awesome Memory Forensics for DFIR.

Memory Forensics is forensic analysis of a computer's memory dump. Its primary application is investigation of advanced computer attacks which are stealthy enough to avoid leaving data on the computer's hard drive. Consequently, the memory (RAM) must be analyzed for forensic information.

Fundamental

• Operating Systems
• Computer Structure
• Reverse Engineering
• Malware Analysis
• Windows Internals
• Digital Forensics
• Incident Response

⚙️ Tools

Memory Acquisition

Introduce commercial and open source tools for memory acquisition.

• MAGNET RAM
• FTK Imager
• Winpmem
• Ram Capturer
• LiME
• AVML
• fmem
• FEX Memory Imager
• MacQuisition

Memory Analysis

Introduce commercial and open source tools for memory analysis.

• Volcano - A comprehensive, cross-platform, next- generation memory analysis solution, Volexity Volcano Professional’s powerful core extracts, indexes, and correlates artifacts to provide unprecedented visibility into systems’ runtime state and trustworthiness.
• Volatility3 - Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples.
• MemProcFS - The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system.
• WinDbg - The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes.
• Volatility - The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples.
• Volafox - macOS Memory Analysis Toolkit' is developed on Python 2.x (Deprecated)
• Rekall - A new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. (Deprecated)
• Redline - The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes. (Deprecated)

Books

• The Art of Memory Forensics - Detecting Malware and Threats in Windows, Linux, and Mac Memory
• Practical Memory Forensics - Jumpstart effective forensic analysis of volatile memory

Course

• Malware and Memory Forensics Training

🖥 Videos

13 Cubed

• Introduction to Memory Forensics
• Windows Memory Analysis
• Windows Process Genealogy
• Windows Process Genealogy (Update)
• Memory Forensics Baselines
• Extracting Prefetch from Memory
• Detecting Persistence in Memory
• Introduction to Redline
• Introduction to Redline (Update)
• Profiling Network Activity with Volatility 3 - GeoIP from Memory
• Volatility Profiles and Windows 10
• Dumping Processes with Volatility 3
• First Look at Volatility 3 Public Beta
• Volatility 3 and WSL 2 - Linux DFIR Tools in Windows?

DFIR Science

• Introduction to Memory Forensics with Volatility 3
• Amazon AWS EC2 Forensic Memory Acquisition - LiME
• Forensic Memory Acquisition in Linux - LiME
• Forensic Memory Acquisition in Windows - FTK Imager

Black Hat 2022

• New Memory Forensics Techniques to Defeat Device Monitoring Malware

Black Hat 2019

• Investigating Malware Using Memory Forensics - A Practical Approach

SANS Digital Forensics and Incident Response

• SANS DFIR Webcast - Memory Forensics for Incident Response

ETC

• Memory Forensics with Jupyter Notebooks

Articles

JPCERT

• How to Use Volatility 3 Offline
• Migrate Volatility Plugins 2 to 3
• MalConfScan with Cuckoo: Plugin to Automatically Extract Malware Configuration
• Volatility Plugin for Detecting RedLeaves Malware
• A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility –
• A Volatility Plugin Created for Detecting Malware Used in Targeted Attacks
• Volatility Plugin for Detecting Cobalt Strike Beacon

Blogs

• Memory analysis using volatility3 (1) - Windows 10
• Memory analysis using volatility3 (2) - Ubuntu Linux

WriteUps

Papers

Digital Investigation

• The evidence beyond the wall: Memory forensics in SGX environments

DFRWS USA 2022

• Memory Analysis of .NET and .Net Core Applications
• Juicing V8: A Primary Account for the Memory Forensics of the V8 JavaScript Engine

DFRWS EU 2022

• Extraction and analysis of retrievable memory artifacts from Windows Telegram Desktop application
• Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing
• Memory forensic analysis of a programmable logic controller in industrial control systems

DFRWS USA 2021

• Duck Hunt: Memory Forensics of USB Attack Platforms
• Seance: Divination of Tool-Breaking Changes in Forensically Important Binaries
• Leveraging Intel DCI for Memory Forensics

DFRWS EU 2021

• One key to rule them all: Recovering the master key from RAM to break Android’s file-based encryption

DFRWS USA 2020

• Hiding Process Memory via Anti-Forensic Techniques
• Memory Analysis of macOS Page Queues
• Memory FORESHADOW: Memory FOREnSics of HArDware cryptOcurrency Wallets – A Tool and Visualization Framework

Test Dataset

• Digital Corpora
• NIST
• Memory Forensic Training
• MemLabs

🏆 Challenges

• 2021 Volatility Plugin Contest
• 2020 Volatility Plugin Contest
• 2019 Volatility Plugin & Analysis Contests
• 2018 Volatility Plugin & Analysis Contests
• 2017 Volatility Plugin Contest
• 2016 Volatility Plugin Contest
• 2015 Volatility Plugin Contest
• 2015 DFRWS Forensic Challenge
• 2014 Volatility Plugin Contest
• 2013 Volatility Plugin Contest

🌳 Contributors

Thank you for your contribution!

We welcome any contribution to the extent that Code of Conduct and the License comply.