CyberCode Academy
Avsnitt

Course 36 - Windows Forensics and Tools | Episode 4: From Acquisition to Volatility Analysis

CyberCode Academy
Dela

In this lesson, you’ll learn about: memory forensics and RAM analysis1. Why Memory Forensics Matters

  • RAM (volatile memory) is one of the most valuable forensic sources
  • It contains data that disappears after shutdown

🔹 What RAM can reveal

  • Running processes
  • Active network connections
  • Command history
  • Encryption keys
  • Malware behavior in real time

👉 Key Idea:

  • If disk is “history,” RAM is live truth

2. Memory Acquisition (Capturing RAM)🔹 What is memory acquisition?

  • Creating a snapshot of physical RAM for analysis

🔹 Common Tools

  • DumpIt
    • Simple one-click RAM dump tool
    • Used widely in field forensics
  • NotMyFault
    • Forces system crash
    • Generates full kernel memory dump

👉 Key Tradeoff:

  • DumpIt → fast and simple
  • Crash dump → deeper but disruptive

3. Types of Memory Evidence🔹 What investigators look for

  • Process objects
  • Suspicious threads
  • Injected code
  • Hidden malware artifacts

🔹 Why it’s important

  • Malware often exists only in memory
  • Disk analysis alone may miss it

4. Memory Forensic Techniques🔹 String Searching

  • Look for:
    • Passwords
    • URLs
    • Commands
    • API keys

🔹 Process Inspection

  • Identify:
    • Legitimate processes
    • Suspicious or orphaned processes

🔹 Thread Analysis

  • Detect:
    • Code injection
    • Hidden execution paths

5. Deep Analysis with Volatility🔹 What is Volatility?

  • A powerful memory forensics framework for analyzing RAM dumps

🔹 Key Capability

  • Extracts structured evidence from raw memory images

6. Core Volatility Commands🔹 pslist

  • Shows active processes
  • Based on system process list

🔹 psscan

  • Finds hidden or terminated processes
  • Scans memory directly

🔹 psxview

  • Cross-checks multiple process sources
  • Detects rootkits and hidden malware

👉 Key Insight:

  • If a process appears in psscan but not pslist, it may be hidden

7. OS Profiling

  • First step in analysis is identifying:
    • Operating system version
    • Memory structure layout

👉 Why it matters:

  • Correct profile = accurate results in Volatility

8. Malware Detection in Memory🔹 What investigators look for

  • Injected DLLs
  • Suspicious network activity
  • Hidden execution threads

🔹 Key Concept

  • Malware often hides better in RAM than on disk

9. Reporting Findings🔹 Output process

  • Extract evidence
  • Convert results into structured reports
  • Document every forensic step

👉 Goal:

  • Make results repeatable and legally defensible

Key Takeaways

  • RAM is the most dynamic and valuable forensic source
  • Memory acquisition must be done carefully to preserve evidence
  • Tools like DumpIt and crash dumps capture volatile data
  • Volatility enables deep inspection of memory structures
  • Cross-checking process lists helps detect hidden malware

Big PictureMemory forensics helps you:👉 Move from live system behavior → hidden system truthMental Model

  • Capture RAM → Identify OS → Analyze processes → Detect anomalies → Report findings



You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy

Rss Apple Podcaster
Podden och tillhörande omslagsbild på den här sidan tillhör CyberCode Academy. Innehållet i podden är skapat av CyberCode Academy och inte av, eller tillsammans med, Poddtoppen.