This page contains a roadmap to learn Memory Forensics.
Reading
Below are some links for learning more about Memory Forensics.
- https://wiki.bi0s.in/forensics/memory-forensics/
- https://www.lifewire.com/what-is-random-access-memory-ram-2618159
Recommanded Books
Memory Forensics require a lot of additional reading and implementation for retrieving forensic artefacts. So it is recommanded that the user read the books mentioned above.
Memory Acquisition
There are a lot of tools to acquire memory. Following are some of the popular ones.
Windows
The following tools can be used to acquire a memory dump from a Windows system.
- Belkasoft RAM Capture
- Magnet RAM Capture
- WinPmem
- FTK Imager (not recommanded for memory acquisition)
- FEX Memory Imager
Linux
The following tools can be used to acquire a memory dump from a Linux system.
MacOS
The following tools can be used to acquire a memory dump from a Mac OS system.
Memory Analysis
There are a lot of tools for analysis (both commercial and open-source). One of the most used tool for analysis is Volatility.
If you want to visualize a memory image as a virtual file system, then you can use MemProcFS
Get Volatility from:
- Volatility 2 (which runs using python2) - https://github.com/volatilityfoundation/volatility
- Volatility 3 (which runs using python3) - https://github.com/volatilityfoundation/volatility3
Creating a Linux Volatility profile
Volatility 2: then you can use this reference for creating a new profile.
Volatility 3: made a move from using plugins to Symbol tables. For linux these needs to be generated. Intermediate Symbol Format file can be processed by Volatility 3.
Volatility Command Reference
Use the following Command Reference to get to know about different Volatility plugins and its usage:
Here is an another walk-through from hackingarcticles.in
Video guides
Below are some video guides on how to use volatility and some important artefacts that can be extracted from Memory:
- Introduction to Memory Forensics from 13Cubed
- What is Random Access Memory? from DFIR.Science
- Forensics: What data can you find in RAM? from DFIR.Science
- Windows Memory Analysis from 13Cubed
- Volatility Profiles and Windows 10 from 13Cubed
- Dumping Processes with Volatility 3 from 13Cubed
- First Look at Volatility 3 Public Beta from 13Cubed
- Volatility 3 and WSL 2 - Linux DFIR Tools in Windows? from 13Cubed
- MemProcFS - This Changes Everything from 13Cubed
- Introduction to Memory Forensics with Volatility 3 from DFIR.Science
- Forensic Memory Acquisition in Linux - LiME from DFIR.Science
Practice challenges
CTFs are one of the best way to get your hands dirty in memory forensics.
Note: If you need a walk through on how to analyze a memory dump file, you can check this out.
Below are a list (not limited to) of challenges available online for practice:
Memlabs by Abhiram Kumar - Educational CTF-styled labs for learning memory forensics hands-on.
To give you a better understanding of volatility and Memory Forensics, I would suggest you follow the below order in solving the labs from Memlabs.
| S. No | Challenge Name | Lab link |
|---|---|---|
| 1 | The Evil’s Den | Lab 3 |
| 2 | Beginner’s Luck | Lab 1 |
| 3 | A New World | Lab 2 |
| 4 | Obsession | Lab 4 |
| 5 | Black Tuesday | Lab 5 |
| 6 | The Reckoning | Lab 6 |
- Magnet Virtual Summit 2020 - Windows Memory
Here an awesome list created by digitalisx: https://github.com/digitalisx/awesome-memory-forensics