EpochZero Learn
EpochZero LearnMulti-Domain Tech Learning Hub
Courses
LeaderboardAbout
Dashboard
EpochZero
EpochZero Learn
Multi-Domain Tech Learning Hub

Structured learning for Reverse Engineering, Cloud Security, Cryptography, and Web Development. Articles, videos, tests, and peer discussion.

Learn

  • Learning Path
  • All Articles
  • Video Lessons
  • Podcast
  • eBooks & PDFs
  • Question Banks
  • Cheatsheets
  • MCQ Banks

Tests & Forum

  • All Tests
  • REMA Tests
  • Cloud Tests
  • Forum
  • REMA Forum
  • Cloud Forum
  • Crypto Forum
  • Web Dev Forum

Campus

  • REMA Club
  • Full Stack Dev Club
  • Extension Activity
  • Events
  • CTF Competitions
  • Workshops
  • Industrial Visits

Platform

  • Dashboard
  • Leaderboard
  • About
  • Verify Certificate

© 2026 EpochZero Learn. Educational content for learning purposes.

Course Instructor: Ashish Revar

All articles
Educationvolatilitymemory-forensicsmalfind

Memory Forensics with Volatility

RAM acquisition, Volatility 3 essential plugins — pslist, psscan, malfind, dlllist, netscan, cmdline — and a structured workflow for detecting injected code, hidden processes, and network connections in a memory dump.

Ashish Revar12 May 202618 min read3 views

Sign in to mark this article as read and track your progress.

Related to this topic

Continue learning

Listen

Spotting Forensic Gold in Malware Strings

Discover how malware analysts extract hidden intelligence from embedded strings — URLs, registry paths, API call sequences, and C2 artefacts that reveal attacker behaviour and seed your IOC list.

Reference material

eBook
REMA eBook 2026
v1.0
Open resource
Cheatsheet
REMA Cheatsheet 2026
v1.0
Open resource
MCQ Bank
REMA MCQ Bank 2026
v1.0
Open resource
Question Bank
REMA Question Bank 2026
v1.0
Open resource

External references

Volatility 3 — Official Documentation

Official Volatility 3 documentation with plugin reference, installation guide, and usage examples.

tool
WinPmem — Memory Acquisition Tool

Free memory acquisition tool for Windows. Single executable, no driver installation required.

tool
MemLabs — Volatility CTF Challenges

Six beginner-to-intermediate memory forensics CTF challenges. Practice Volatility workflows on real memory dumps.

tool
More articlesTest your knowledge

Why Memory Forensics?

When malware runs entirely in memory — fileless malware, injected payloads, unpacked code — the only artefact is the contents of RAM. Memory forensics captures and analyses a RAM dump to recover evidence that is invisible to disk-based tools.

If disk forensics is like examining a crime scene after the criminals have left, memory forensics is like freezing time mid-heist — you catch the burglars with their hands still in the safe, tools scattered on the floor, and the getaway car running outside.

Acquiring a Memory Dump

From a Virtual Machine (analysis environment)

HypervisorMethodOutput
VMware WorkstationSuspend VM.vmem file in VM directory
VirtualBoxTake snapshot.sav file
BothConvert to rawUse vmss2core or direct analysis

From a Live System

# WinPmem (recommended — free, no driver installation required)
winpmem_mini_x64.exe memory.dmp

# DumpIt (single executable)
DumpIt.exe /O memory.dmp

Note: The act of acquiring memory modifies memory. Your acquisition tool loads into RAM, overwrites some data, and creates artefacts. This is unavoidable — document your tools and methodology.

Volatility 3 Basics

Volatility 3 automatically detects the OS profile from the memory dump. No profile specification needed (unlike Volatility 2).

# Basic syntax
vol -f memory.dmp [plugin_name]

# List available plugins
vol --info | grep windows

# Get system information
vol -f memory.dmp windows.info

Essential Plugins

pslist — Process List

Walks the PsActiveProcessHead doubly-linked list to enumerate processes:

vol -f memory.dmp windows.pslist
PID   PPID  ImageFileName    CreateTime
4     0     System
388   4     smss.exe
540   532   csrss.exe
3412  1024  svchost.exe      ← check parent PID
4201  3412  cmd.exe          ← cmd spawned by svchost — suspicious

Limitation: DKOM (Direct Kernel Object Manipulation) rootkits unlink their EPROCESS structure from this list. pslist misses them.

psscan — Process Scanner

Scans physical memory for EPROCESS pool tags regardless of list linkage. Detects DKOM-hidden processes:

vol -f memory.dmp windows.psscan

If psscan shows a PID that pslist does not, that process is hidden by DKOM.

malfind — Injected Code Detector

Scans for memory regions that are:

  1. Executable (has Execute permission)
  2. Privately allocated (not mapped from a file on disk)
  3. Contain suspicious content (MZ header or code-like bytes)
vol -f memory.dmp windows.malfind

Example output:

PID   Process       Address      Protection         Hexdump
3412  svchost.exe   0x00340000   PAGE_EXECUTE_READWRITE
                                 4d 5a 90 00...    ← MZ header

An RWX private region containing an MZ header in svchost.exe is almost certainly a reflectively injected DLL.

Extract the injected PE:

vol -f memory.dmp windows.malfind --dump --pid 3412

dlllist — DLL List per Process

vol -f memory.dmp windows.dlllist --pid 3412

Lists all DLLs loaded into a process. A DLL present here but absent from disk — or loaded from an unusual path — indicates injection or side-loading.

netscan — Network Connections

vol -f memory.dmp windows.netscan
Proto  LocalAddr       LocalPort  ForeignAddr     ForeignPort  State    PID
TCP    192.168.1.100   49201      185.220.x.x     443          ESTABLISHED  3412

Recovers both active and recently closed connections. Useful when C2 communication has stopped but the connection record is still in memory.

cmdline — Process Command Lines

vol -f memory.dmp windows.cmdline
PID   Process     Cmdline
4201  cmd.exe     cmd.exe /c powershell -enc SQBFAFgA...

Shows the exact command line each process was launched with — critical for identifying LOLBin abuse and encoded PowerShell payloads.

Additional Useful Plugins

PluginPurpose
windows.handlesList open handles (files, registry, mutexes) per process
windows.procdumpDump process executable from memory to disk
windows.vaddumpDump all memory regions of a process
windows.filescanFind file objects in memory (cached files)
windows.registry.printkeyRead registry keys from memory
windows.svcscanList Windows services including hidden ones

Structured Analysis Workflow

1. vol windows.info          → confirm OS version and profile
2. vol windows.pslist        → baseline process list
3. vol windows.psscan        → compare with pslist → hidden PIDs?
4. vol windows.cmdline       → check command lines for suspicious args
5. vol windows.netscan       → map network connections to PIDs
6. vol windows.malfind       → detect injected code → dump suspects
7. vol windows.dlllist --pid X  → check DLLs in suspicious processes
8. vol windows.handles --pid X  → check for unusual mutex/file handles
9. Dump suspicious regions:
   windows.procdump --pid X
   windows.vaddump --pid X --dump-dir ./output/
10. Submit dumps to VirusTotal or analyse in IDA/Ghidra

malfind Criteria Explained

malfind flags a region as suspicious when ALL of the following are true:

  • PAGE_EXECUTE or PAGE_EXECUTE_READWRITE or PAGE_EXECUTE_WRITECOPY protection
  • VAD type is private — region was created by VirtualAlloc, not mapped from a file
  • Content heuristic — starts with MZ header OR passes basic disassembly check

A legitimate DLL is mapped from disk (not private). Injected code is allocated (private). This distinction is the fundamental basis for malfind''s detection logic.

Refer to REMA eBook 2026, Figure 5.8 for the Volatility analysis workflow diagram.