Someone ran ransomware. System logs say little, Windows events are gone. The disk is encrypted, but RAM still holds everything: running processes, active network connections, shell commands typed seconds before. Without a physical memory dump, that crime scene is lost forever.
Here at Meteora Web, we work daily on IT security for Italian SMEs. We see it: when an attack hits, the first thing erased is volatile evidence. That's why RAM analysis isn't a lab luxury — it's a core skill in every incident response. In this guide we show how to use Volatility 3 to extract evidence from system memory, with real commands and concrete scenarios.
What Is Memory Forensics and Why Is It Crucial for Incident Response?
RAM contains everything running at dump time: processes, threads, handles, network connections, loaded DLLs, decrypted data in cleartext, plaintext passwords, PowerShell commands, file fragments. Unlike disk, RAM is volatile, but if you capture it before shutdown, you have an instant snapshot of the attack.
Why is it essential? Many malware are memory-resident (fileless). They never write to disk. Traditional filesystem forensics won't see them. With memory forensics you can:
- Identify hidden malicious processes (DKOM rootkits).
- Recover payloads injected into legitimate processes.
- Extract encryption keys used by ransomware.
- Reconstruct the sequence of executed commands (cmdline, PowerShell).
How to Obtain a Reliable RAM Dump?
Before analysis, you must acquire memory forensically. Mistakes compromise the entire investigation. Here are methods we use:
Sponsored Protocol
On Windows: Dumplt (or FTK Imager Lite)
Dumplt is a command-line tool producing .raw or .dmp files. Run with admin privileges. Basic command:
Dumplt.exe -o memory.dumpWarnings: Execute from an external USB drive to avoid altering memory with system drivers. Do not install anything on the compromised disk.
On Linux: LiME
LiME (Linux Memory Extractor) loads as a kernel module. Compile it on the target machine if possible, or use a precompiled module for the same kernel version. Command:
insmod lime.ko "path=./memory.lime format=lime"LIME format is natively supported by Volatility 3.
On macOS: Osxpmem (from Google Rapid7)
macOS, though less common, can be acquired with osxpmem. Produces .aff4 or .raw files.
What to do now: If you suspect an ongoing attack, do not shut down. Load a portable tool from a USB drive, dump memory, then analyze the file offline.
Volatility 3: Installation and First Practical Steps
Volatility 2 is still used, but the future is Volatility 3 (Python 3). No profile needed — it auto-detects the system. Simple installation:
Sponsored Protocol
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
python3 vol.py -f memory.dump windows.infoFirst command: windows.info (or linux.info, mac.info) shows system info: kernel version, number of CPUs, uptime, structure offsets. Verify the dump is valid and the tool recognizes it.
Essential Plugins to Know
- windows.pslist: Lists active processes at dump time.
- windows.psscan: Scans memory for EPROCESS structures (finds hidden processes).
- windows.netscan: Shows TCP/UDP connections, sockets, listening ports.
- windows.cmdline: Extracts command line of each process.
- windows.dlllist: Lists loaded DLLs per process.
- windows.malfind: Searches for injected code (memory page modifications).
- windows.hashdump: Recovers local user hashes from SAM (if available).
Practical example: After a dump, run:
python3 vol.py -f incident.raw windows.pslist
python3 vol.py -f incident.raw windows.psscan
python3 vol.py -f incident.raw windows.netscanCompare PIDs from pslist and psscan. Any process in psscan but not in pslist is likely hidden by a rootkit.
How to Analyze a Suspicious Process with Volatility?
Suppose you find an svchost.exe with PID 1234 but an unusual command line or an unsigned DLL. Deep dive:
Sponsored Protocol
python3 vol.py -f incident.raw windows.cmdline --pid 1234
python3 vol.py -f incident.raw windows.dlllist --pid 1234
python3 vol.py -f incident.raw windows.malfind --pid 1234
python3 vol.py -f incident.raw windows.memmap --pid 1234 --dumpmemmap --dump extracts the entire process memory space. Then analyze with strings or a YARA scanner. We often do this to find IoCs like C2 URLs, registry keys, or filenames.
Extracting Payload from the Heap
If you suspect code injection, use windows.vadinfo to find memory regions with unusual permissions (e.g., RWX). Then use windows.vaddump to extract that region.
How to Detect Rootkits and Fileless Malware in RAM?
Modern rootkits modify kernel data structures to hide processes, files, or connections. Volatility has specific plugins:
- windows.rootkitscan: Detects DKOM techniques.
- windows.ssdt: Shows the System Service Descriptor Table. If a system address is redirected to malicious code, you'll see it.
- windows.driverirp: Checks driver IRP functions; a malicious driver often modifies dispatch routines.
Real example: Fileless malware like Meterpreter injects its payload into a legitimate process (e.g., explorer.exe). With windows.malfind you find memory regions with flags MEM_COMMIT | MEM_RESERVE and protection PAGE_EXECUTE_READWRITE. Dump that region and analyze with strings or a disassembler.
Sponsored Protocol
Case study: A client's server was hit by Cobalt Strike. The beacon was injected into rundll32.exe but didn't appear in pslist. With psscan we found it, extracted the config (teamserver URL, mutex), and blocked communication from the firewall.
How to Recover Encrypted Data or Credentials from RAM?
Ransomware often loads the symmetric key in memory to encrypt files; it may remain in cleartext until the process ends. Volatility has no magic plugin, but you can:
- Dump the ransomware process memory and search for key patterns (e.g., 16/32-byte hex strings).
- Use
windows.modscanto find kernel modules that might hold cryptographic data. - Extract user hashes with
windows.hashdumpfor offline brute force.
Example: To search for an AES key, run:
python3 vol.py -f incident.raw windows.memdump --pid 4567 --dir output/
strings output/pid.4567.dmp | grep -E '^[A-Fa-f0-9]{32,64}$'Not foolproof, but in many cases the key is in memory before encryption.
Automate Analysis with Python and YARA
Volatility 3 is modular; you can write custom plugins. A practical approach for non-developers is to use YARA rules. Download a rule set like signature-base and run it on process dumps:
Sponsored Protocol
python3 vol.py -f incident.raw windows.yarascan --yara-rules malware.yarHere at Meteora Web we automated the entire workflow into a script that runs key plugins and produces an HTML report. We use it to speed up incident response for clients without an internal SOC.
What to Do Now — Operational Checklist for Your Business
1. Prepare a forensic acquisition kit — USB stick with Dumplt, portable Volatility, startup scripts. Keep it handy.
2. Define an incident response procedure — who decides to do the dump? When? Don't wait until the system is powered off.
3. Practice on a lab — create a Windows/Linux VM, run known malware (e.g., Mimikatz), dump RAM, and analyze with Volatility. Only practice makes you fast.
4. Integrate Volatility into your workflow — for every severe alert, consider RAM acquisition as the first step.
5. Document everything — chain of custody, dump hash, commands executed. For potential legal action.
For a deeper dive into the whole incident response process, read our pillar guide on Incident Response and Digital Forensics.
