Home > Digital Forensics

Process, DLL, Network Artefacts

Processes, DLLs, and network artifacts are some of the most important evidence sources in memory forensics. These artifacts reveal what was running on a system, what modules were loaded, and how the machine communicated with other hosts. Attackers rely heavily on malicious processes, injected DLLs, and covert network connections—making these three categories essential for detecting intrusions, malware infections, and fileless attacks.

This chapter explains how processes, DLLs, and network artifacts appear inside RAM, how forensic tools extract them, and what indicators investigators look for during analysis.

Process Artefacts in Memory

A process represents a running program. RAM stores all active processes along with their identifiers, execution paths, command lines, parent-child relationships, and memory regions.

Memory forensics tools like Volatility extract detailed process information.

Key Process Artefacts

1. Process List

Shows all currently running processes.

Useful to identify:

  • Unexpected or suspicious executables

  • Malware using legitimate names

  • High-privilege processes started by attackers

  • Fileless malware that spawns from memory

2. Process Tree

Shows parent → child hierarchy.

Helps detect:

  • Suspicious parent-child chains

  • PowerShell spawning cmd → reverse shell

  • Office apps spawning scripts (macro malware)

  • Remote shell processes

3. PID/PPID Tracking

Process IDs and parent IDs help reveal execution chains.

Example evidence:

  • winword.exe → spawns → powershell.exe

  • explorer.exe → spawns → cmd.exe

A strong indicator of phishing or malicious macros.

Signs of Malicious Processes

  • Unknown executables

  • Processes with no command-line arguments

  • Processes running from non-standard locations

  • Memory-only processes (found in psscan but not pslist)

  • Parent-child inconsistencies

  • Time anomalies (process started after compromise)

  • Processes using excessive memory or threads

Malware often hides by unlinking itself from standard process lists, but memory scans still detect them.

DLL Artefacts (Modules Loaded in Memory)

A DLL (Dynamic Link Library) is a shared library loaded by processes.
Malicious DLLs are commonly injected into legitimate processes.

Key DLL Artefacts

1. Loaded Modules List

Shows all DLLs a process currently uses.

Useful for:

  • Detecting malicious DLL injections

  • Identifying unsigned or unknown modules

  • Spotting DLL search order hijacking

  • Examining suspicious in-memory scripts

2. Reflective DLL Loading

Fileless malware loads a DLL directly into memory without touching disk.

Memory forensics reveals:

  • Suspicious memory regions

  • Executable pages without backing files

  • DLLs with no file path

3. PE File Metadata

Memory inspection extracts:

  • Compile timestamp

  • Imports/exports

  • Code sections

  • Strings

This is vital for malware classification.

Signs of Malicious DLL Activity

  • DLLs loaded from Temp, AppData, Downloads, /tmp, or hidden directories

  • Modules without file paths

  • Unsigned DLLs loaded into signed processes

  • Suspicious DLL names mimicking system ones (e.g., svch0st.dll)

  • Code sections marked executable and writable (RWX)

  • DLLs injected into browsers, LSASS, or explorer

DLL artifacts are often the first indicator of in-memory malware.

Network Artefacts in Memory

Memory stores active and recently closed network connections, sockets, listening ports, and routing information.

Attackers use network channels for:

  • Command-and-control (C2)

  • Reverse shells

  • Lateral movement

  • Data exfiltration

Memory forensics exposes these connections even if logs are cleared.

Key Network Artefacts Extracted from RAM

1. Active TCP/UDP Connections

Includes:

  • Local IP & port

  • Remote IP & port

  • Connection state (ESTABLISHED, LISTENING)

  • Owning process (PID)

2. Network Sockets

Reveals:

  • Raw sockets

  • Unusual protocols

  • Covert communication channels

3. Listening Ports

Identifies:

  • Backdoor listeners

  • Unauthorized services

  • Hidden shells

4. Closed / Recently Active Connections

Memory retains remnants even after disconnection.

Useful when:

  • Attackers clear logs

  • Connections were short-lived

  • Malware self-destructed

Signs of Malicious Network Activity

  • Connections to suspicious foreign IPs

  • Processes communicating that should not have network access

  • PowerShell or bash spawning connections

  • LISTENING ports on unusual ports (e.g., 4444, 8081, 9001)

  • C2 frameworks (Cobalt Strike, Brute Ratel) network signatures

  • Reverse shells such as:

    • cmd.exe → 10.0.0.x:4444

    • bash → remote IP over port 9001

Memory-based network evidence is often stronger than disk logs.

Common Forensic Workflows (Volatility Examples)

List processes

volatility3 -f mem.raw windows.pslist

Find hidden processes

windows.psscan

Show process tree

windows.pstree

List DLLs per process

windows.dlllist

Detect injected code

windows.malfind

Network connections

windows.netscan

These plugins collectively reveal attacker activity in RAM.

Intel Dump

  • Processes in RAM show active execution, parent-child chains, and hidden or malicious tasks not visible on disk.

  • DLL artifacts reveal injected modules, reflectively loaded payloads, and unsigned or pathless libraries used by malware.

  • Network artifacts expose active and recently closed connections, remote IPs, listening ports, and command-and-control communication.

  • Memory forensics detects fileless malware, in-memory implants, reverse shells, and persistence techniques that leave no disk traces.

  • Correlating processes, DLLs, and network activity gives a complete picture of attacker behavior and malicious execution flow.

  • Volatility plugins like pslist, psscan, malfind, dlllist, and netscan are essential for extracting these artifacts from RAM.

HOME COMMUNITY CAREERS DASHBOARD