This page contains a roadmap to learn Memory Forensics.
Below are some links for learning more about Memory Forensics.
Memory Forensics require a lot of additional reading and implementation for retrieving forensic artefacts. So it is recommanded that the user read the books mentioned above.
There are a lot of tools to acquire memory. Following are some of the popular ones.
The following tools can be used to acquire a memory dump from a Windows system.
- Belkasoft RAM Capture
- Magnet RAM Capture
- FTK Imager (not recommanded for memory acquisition)
- FEX Memory Imager
The following tools can be used to acquire a memory dump from a Linux system.
The following tools can be used to acquire a memory dump from a Mac OS system.
There are a lot of tools for analysis (both commercial and open-source). One of the most used tool for analysis is Volatility.
If you want to visualize a memory image as a virtual file system, then you can use MemProcFS
Get Volatility from:
- Volatility 2 (which runs using python2) - https://github.com/volatilityfoundation/volatility
- Volatility 3 (which runs using python3) - https://github.com/volatilityfoundation/volatility3
Creating a Linux Volatility profile
Volatility 2: then you can use this reference for creating a new profile.
Volatility 3: made a move from using plugins to Symbol tables. For linux these needs to be generated. Intermediate Symbol Format file can be processed by Volatility 3.
Volatility Command Reference
Use the following Command Reference to get to know about different Volatility plugins and its usage:
Here is an another walk-through from hackingarcticles.in
Below are some video guides on how to use volatility and some important artefacts that can be extracted from Memory:
- Introduction to Memory Forensics from 13Cubed
- What is Random Access Memory? from DFIR.Science
- Forensics: What data can you find in RAM? from DFIR.Science
- Windows Memory Analysis from 13Cubed
- Volatility Profiles and Windows 10 from 13Cubed
- Dumping Processes with Volatility 3 from 13Cubed
- First Look at Volatility 3 Public Beta from 13Cubed
- Volatility 3 and WSL 2 - Linux DFIR Tools in Windows? from 13Cubed
- MemProcFS - This Changes Everything from 13Cubed
- Introduction to Memory Forensics with Volatility 3 from DFIR.Science
- Forensic Memory Acquisition in Linux - LiME from DFIR.Science
CTFs are one of the best way to get your hands dirty in memory forensics.
Note: If you need a walk through on how to analyze a memory dump file, you can check this out.
Below are a list (not limited to) of challenges available online for practice:
Memlabs by Abhiram Kumar - Educational CTF-styled labs for learning memory forensics hands-on.
To give you a better understanding of volatility and Memory Forensics, I would suggest you follow the below order in solving the labs from Memlabs.
|S. No||Challenge Name||Lab link|
|1||The Evil’s Den||Lab 3|
|2||Beginner’s Luck||Lab 1|
|3||A New World||Lab 2|
|5||Black Tuesday||Lab 5|
|6||The Reckoning||Lab 6|
- Magnet Virtual Summit 2020 - Windows Memory
Here an awesome list created by digitalisx: https://github.com/digitalisx/awesome-memory-forensics