/r/memoryforensics

Photograph via snooOG

Memory Forensics is an ever growing field. With the emergence of malware that can avoid writing to disk, the need for memory forensics tools and education is growing.

Vote based on the quality of the content. Submissions linking to PDF files should denote "[PDF]" in the title. Irrelvant submissions will be pruned in an effort towards tidiness.

/r/memoryforensics

4,392 Subscribers

1

Sysinternals ProcDump for Mac

Microsoft Sysinternals just announced the release of ProcDump for Mac.

https://techcommunity.microsoft.com/blog/sysinternals-blog/procdump-1-0-for-mac/4295719

0 Comments
2024/11/14
03:37 UTC

1

13Cubed XINTRA Lab Walkthrough (X-Post)

The latest 13Cubed episode is out! Join us for a complete walkthrough of KG Distribution, the 13Cubed challenge created for XINTRA Labs. Learn more at xintra.org/labs.

Episode:
https://www.youtube.com/watch?v=A7Bh7vnAooQ

More at youtube.com/13cubed.

0 Comments
2024/10/28
11:31 UTC

1

DumpIt.exe wont work on UNC? and RamCapture64.exe has no command line?

Hi,

i want to automatic creation of memory dump. DumpIt.exe can make it easy, but looks like have Bug if i want to put the file on UNC.

dumpit.exe /COMPRESS /QUIET /NOLYTICS /OUTPUT \\server\share\file.zdmp
after that the dump is creating, after finish a error message "Error: Wrong parameter" and after that the dmp will be deleted automaticly.

i tried the same with RamCapture64.exe but, i cant find a option to make it over cmd/powershell, looks like GUI only tool. Any hints how i can script this?

2 Comments
2024/10/07
13:43 UTC

2

Linux Memory Forensics Challenge from 13Cubed (X-Post)

A new 13Cubed episode is up! Take on a Linux memory forensics challenge, sharpen your skills, and win an exclusive 13Cubed challenge coin! 👑 Only the first 3 correct submissions will win—don’t miss your chance! #DFIR https://www.youtube.com/watch?v=IHd85h6T57E

0 Comments
2024/09/30
12:30 UTC

2

VMDK "Cheat"?

Need a more experienced analyst's POV.

In any version of volatility, in order to analyze a VMDK, one must have the corresponding VMSS/VMSN file.

What does one do when the corresponding files go missing and the original VM is no longer accessible? Can you simply take a copy of the VMDK and, assuming you use the correct OS and VM specs, make a new VM and replace that VMDK with the one you need the corresponding files for? Has anyone tried this and been able to successfully "cheat" this process?

Edit: I realize that mounting the VMDK is possible and we can continue in that manner. This is just a geewhiz question about cheating it in order to gain a live analysis.

Edit2: I hate using ChatGPT, sorry for the betrayal. It confirmed that by calling it a dummy VM setup where one simply deletes the dummy VMDK file and replaces it with the analyst VMDK file. It even mentioned my concern with ensuring the same VM specs are used (OS, RAM, HDD size) and cautioned to enable write-protection prior to turning it on.

0 Comments
2024/09/22
02:11 UTC

0

Please help me

So I’m very new to python(any kind of coding for that matter) and I recently found some malware that piggybacked onto permissions given to a legitimate google extension and downloaded itself from the browser( it was a browser locking app for online exams) and I actually factory reset my computer because I couldn’t find the main problem files but I want to make sure there aren’t any rootkits in my computer, but I have no idea how to get volatility to work on my computer. I have python and the volatility files installed, but I can’t get the code to work. Can somebody walk me through it with a step by step(the one on GitHub was not helpful enough 🙃) ?

3 Comments
2024/09/07
05:07 UTC

4

Is Volatility able to parse SCADA or PLC memory dumps?

I was looking into this challenge, The Troubled Elevator by DFRWS https://github.com/dfrws/dfrws2023-challenge, and some of the artifacts they provide are the PLC memory dumps for the elevator. Looking at the Volatility documentation and Google didn’t produce any results on tools that are able to read PLC memory.

Is it possible for Volatility or are there any others free tools that can do this?

0 Comments
2024/06/30
06:21 UTC

2

Unlocking Volatility in Autopsy

If you are in love with Autopsy, this is for you!

A lot of people do not know that you can actually use Volatility2 inside Autopsy, but you need to activate the plugin manually, so if you want to know how, check out this new post!

0 Comments
2024/06/20
00:20 UTC

8

Memory Dumps for Practice

We have a dedicated category for samples, meaning memory forensic labs/challenges, made by us or other platforms, that allow you to download the memory dump and practice it on your own PC 😁

📌Check them out here!

0 Comments
2024/06/19
20:43 UTC

3

Analyzing Memory Dumps for FREE

We are excited to introduce a new feature on Memory Forensic exclusively for our corporate users 🎉!

For a limited time, you can send us your suspicious memory dumps, and we will analyze them for FREE 😊.📌 You can send them here: memoryforensic.com/analyzeme, but please read the agreement first :)

We will address them as soon as possible and make a short report highlighting the most important findings. Take advantage of this offer and enhance your cybersecurity efforts today!

0 Comments
2024/06/15
15:18 UTC

3

Memory Forensic Cheat-sheets!

Explore our top picks for the best and most comprehensive memory forensic cheat-sheets!

📌 Check them out here!

We will keep updating and revising them regularly.

0 Comments
2024/06/14
17:03 UTC

6

Memory Forensic Courses/Certifications Reviews

We regularly take various commercial memory forensic courses/certifications and write reviews on them, so you can know what to expect beforehand.

Till now, we have two reviews, one for a Black Hat course titled "𝐀 𝐂𝐨𝐦𝐩𝐥𝐞𝐭𝐞 𝐏𝐫𝐚𝐜𝐭𝐢𝐜𝐚𝐥 𝐀𝐩𝐩𝐫𝐨𝐚𝐜𝐡 𝐭𝐨 𝐌𝐚𝐥𝐰𝐚𝐫𝐞 𝐀𝐧𝐚𝐥𝐲𝐬𝐢𝐬 & 𝐌𝐞𝐦𝐨𝐫𝐲 𝐅𝐨𝐫𝐞𝐧𝐬𝐢𝐜𝐬 𝐜𝐨𝐮𝐫𝐬𝐞" and another one titled "𝐌𝐞𝐦𝐨𝐫𝐲 𝐅𝐨𝐫𝐞𝐧𝐬𝐢𝐜𝐬 𝐌𝐚𝐬𝐭𝐞𝐫𝐜𝐥𝐚𝐬𝐬 𝐟𝐨𝐫 𝐈𝐧𝐜𝐢𝐝𝐞𝐧𝐭 𝐑𝐞𝐬𝐩𝐨𝐧𝐝𝐞𝐫𝐬" certification.

We will keep adding reviews over time, so check them out!

📌Courses Reviews

0 Comments
2024/06/11
08:59 UTC

6

Unlocking Memory Forensics: Your Ultimate Destination for Memory Forensics Insights

I have created a website focusing on memory forensics!

Memory Forensic website offers free bite-sized, easy-to-digest tutorials, memory forensic challenges, memory dumps, CTFs, videos , write-ups, news, book recommendations , courses' reviews, and much more.

I also curate and reference useful and valuable memory forensic challenges and articles from various sources.

You can access the website here: Memory Forensic Website

I am eager to hear your feedback about it!

0 Comments
2024/06/05
13:43 UTC

0

Memory Analysis Help for class.

Hi, I'm doing a degree in cyber security and our instructor gave us a memory dump to analyze and i'll be honest i dont have a clue on how to do it. i know some voltality flags but thats it. like i dont know a proper direction or anything to take the analysis in.
Here is the memory dump i was given:
https://drive.google.com/file/d/1EcotQoiIlBvEA_Z55OCy8TsMIe5PLPZ4/view?usp=sharing
Any help on how to analyze it properly would be appreciated and even tho i only need to do this with voltality any other tools that will fast track the process will also be helpfull as i got this due soon and i havent even started.

5 Comments
2024/05/08
11:24 UTC

4

BSOD while attempting memory dump

I'm new to forensic stuff, infact this is my very first attempt wirh such a tool. Whenever i attempt memory dump, it crashes the computer. Im trying to use dumpit.exe by moonsols

2 Comments
2024/04/26
07:15 UTC

1

9gb memdump run time

I have been running image.info on a memdump for over 30 minutes and hasn't moved since

0 Comments
2024/04/05
01:58 UTC

3

volatility - driver plugins

Hi, I've been dabbling with volatility 3 recently and learning along the way. I stumbled across 2 plugins that interested me, drivermodule and driverirp. I was able to extract information from the image using these plugins but I'm not sure what to do with the data. looking online most people only cover the basics of volatility and basic memory forensics techniques but none had a tutorial for driver plugins. the good thing is volatility extracts memory addresses of each driver listed in memory, it also briefly gives an idea on how each driver behaves such as irps and so on. my question is where do i find better resources that explain in detail how to work with that type of data (for example how would I go about removing hidden drivers). I also checked volatility 3 documentation but again they only briefly explain how the program works and how to set it up properly.

1 Comment
2024/03/27
07:30 UTC

2

Identify file fragments

I am working on a file carving tool from memory dump of RAM. I am able to successfully carve files which have definite header and footer and those which are contiguous.

But how can I carve files which are non-contiguous? Essentially how can I locate the next fragment(s)?

2 Comments
2024/03/20
16:27 UTC

3

Volatility dumpfiles - Renaming Output

0 Comments
2024/02/26
03:04 UTC

2

You Are Computer

0 Comments
2023/08/25
09:34 UTC

4

Profiles in Volatility 3

I have noticed that profiles do not exist in volatility 3 but I am trying to figure out why and how and planning to write a blog on it to help people. Is it because of automatic? It is surprising that I haven't been able to find this information anywhere

Any help would be amazing!

2 Comments
2023/04/30
04:16 UTC

1

Error when trying to run Volatility 3

Hi all,

Im taking a course, where I need perform memory analysis using Volatility 3.
When trying to install Volatility 3 on my Kali machine (as the course use Kali machine), using this guide https://seanthegeek.net/1172/how-to-install-volatility-2-and-volatility-3-on-debian-ubuntu-or-kali-linux/

I get the following error, when I try to run Volatility3:

Volatility 3 Framework 2.4.1

Traceback (most recent call last):

File "/home/jakob/.local/bin/vol", line 8, in <module>

sys.exit(main())

File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/cli/__init__.py", line 797, in main

CommandLine().run()

File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/cli/__init__.py", line 293, in run

failures = framework.import_files(

File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/__init__.py", line 152, in import_files

failures += import_file(

File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/__init__.py", line 184, in import_file

importlib.import_module(module)

File "/usr/lib/python3.10/importlib/__init__.py", line 126, in import_module

return _bootstrap._gcd_import(name[level:], package, level)

File "<frozen importlib._bootstrap>", line 1050, in _gcd_import

File "<frozen importlib._bootstrap>", line 1027, in _find_and_load

File "<frozen importlib._bootstrap>", line 1006, in _find_and_load_unlocked

File "<frozen importlib._bootstrap>", line 688, in _load_unlocked

File "<frozen importlib._bootstrap_external>", line 883, in exec_module

File "<frozen importlib._bootstrap>", line 241, in _call_with_frames_removed

File "/home/jakob/.local/lib/python3.10/site-packages/volatility3/framework/plugins/windows/hashdump.py", line 10, in <module>

from Crypto.Cipher import AES, ARC4, DES

File "/usr/local/lib/python3.10/dist-packages/Crypto/Cipher/ARC4.py", line 119, in <module>

key_size = xrange(1,256+1)

NameError: name 'xrange' is not defined. Did you mean: 'range'?

Can anyone tell me whats wrong?

1 Comment
2023/01/07
19:33 UTC

1

Volatility 2.6 Repo or Standalone question

Hi,

Does the volatility 2.6 repo have more features than the standalone install? I've started using volatility 2.6 for a college project and standalone works fine for my current requirements, but I want to avoid any gotchas further down the line.

In a nutshell, I'm asking; At this point in time what is the difference between the standalone and repo versions?

Thanks,

3 Comments
2022/12/22
10:02 UTC

3

Volatility2 Local Variable

Hey All,

I've just began learning about memory forensics and am trying to see if it's possible to use Volatility2 to find local variables.

For background I've got a script that creates a symmetric encryption key which is used encrypt a text file. I created a memory dump. Using Windbg I was able to find the encryption key from the memory dump.

I"m wondering if there is a similar way of extracting this information with Volatility?

2 Comments
2022/11/01
22:59 UTC

3

BSOD everytime when trying to take a memory dump

Does this happen to anyone else? How to fix it?

26 Comments
2022/10/30
09:39 UTC

3

Memory acquisition for MacOS

I know for macOS 10, osxpmem can be used to capture the memory. Have anyone got any success with macOS 12 with it?

1 Comment
2022/08/23
04:09 UTC

12

MemProcFS - This Changes Everything (X-Post)

Good morning,

It’s time for a new 13Cubed episode! This one covers a tool that I truly believe is revolutionary. Imagine being able to "mount" memory as if it were a disk image. With a single command, MemProcFS will create a virtual file system representing the processes, file handles, registry, $MFT, and more. The tool can be executed against a memory dump, or run against memory on a live system. This is a game changer for memory forensics!

Episode:

https://www.youtube.com/watch?v=hjWVUrf7Obk

Episode Guide:

https://www.13cubed.com/episodes/

13Cubed YouTube Channel:

https://www.youtube.com/13cubed

13Cubed Patreon (Help support the channel and get early access to content and other perks!):

https://www.patreon.com/13cubed

0 Comments
2022/08/01
11:57 UTC

1

hardware memory dump

Hello, is there any way to make a memory dump by hardware ? I know there is inception but I'd like to know if there is other way. Inception would be good but it works only with specific hardware profile like thunderbolt,firewire and so on.

2 Comments
2022/06/23
06:17 UTC

1

How to create a symbol table for linux dump?

So I have a linux dump, which I'm hoping to analyze using Volatility3.
However, it appears I need to import or create a symbols table for the particular kernel of that distribution. My question is how do I identify which kernel this kernel and how would I go about getting hold of it, so that I can use dwarf2json and import the symbols into Volatility3?

When running banners.Banners the output I get is:

$ ./vol.py -f ~/Downloads/memdump4.dmp banners.Banners

Volatility 3 Framework 2.2.0

Progress: 100.00 PDB scanning finished

Offset Banner

0xbc000e0 Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)

0xc2b81ac Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)

0xf88d8f8 Linux version 4.9.0-6-amd64 (debian-kernel@lists.debian.org) (gcc version 6.3.0 20170516 (Debian 6.3.0-18+deb9u1) ) #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02)

1 Comment
2022/05/27
13:39 UTC

Back To Top