RAM acquisition, Volatility 3 essential plugins — pslist, psscan, malfind, dlllist, netscan, cmdline — and a structured workflow for detecting injected code, hidden processes, and network connections in a memory dump.
Sign in to mark this article as read and track your progress.
When malware runs entirely in memory — fileless malware, injected payloads, unpacked code — the only artefact is the contents of RAM. Memory forensics captures and analyses a RAM dump to recover evidence that is invisible to disk-based tools.
If disk forensics is like examining a crime scene after the criminals have left, memory forensics is like freezing time mid-heist — you catch the burglars with their hands still in the safe, tools scattered on the floor, and the getaway car running outside.
| Hypervisor | Method | Output |
|---|---|---|
| VMware Workstation | Suspend VM | .vmem file in VM directory |
| VirtualBox | Take snapshot | .sav file |
| Both | Convert to raw | Use vmss2core or direct analysis |
# WinPmem (recommended — free, no driver installation required)
winpmem_mini_x64.exe memory.dmp
# DumpIt (single executable)
DumpIt.exe /O memory.dmp
Note: The act of acquiring memory modifies memory. Your acquisition tool loads into RAM, overwrites some data, and creates artefacts. This is unavoidable — document your tools and methodology.
Volatility 3 automatically detects the OS profile from the memory dump. No profile specification needed (unlike Volatility 2).
# Basic syntax
vol -f memory.dmp [plugin_name]
# List available plugins
vol --info | grep windows
# Get system information
vol -f memory.dmp windows.info
Walks the PsActiveProcessHead doubly-linked list to enumerate processes:
vol -f memory.dmp windows.pslist
PID PPID ImageFileName CreateTime
4 0 System
388 4 smss.exe
540 532 csrss.exe
3412 1024 svchost.exe ← check parent PID
4201 3412 cmd.exe ← cmd spawned by svchost — suspicious
Limitation: DKOM (Direct Kernel Object Manipulation) rootkits unlink their EPROCESS structure from this list. pslist misses them.
Scans physical memory for EPROCESS pool tags regardless of list linkage. Detects DKOM-hidden processes:
vol -f memory.dmp windows.psscan
If psscan shows a PID that pslist does not, that process is hidden by DKOM.
Scans for memory regions that are:
vol -f memory.dmp windows.malfind
Example output:
PID Process Address Protection Hexdump
3412 svchost.exe 0x00340000 PAGE_EXECUTE_READWRITE
4d 5a 90 00... ← MZ header
An RWX private region containing an MZ header in svchost.exe is almost certainly a reflectively injected DLL.
Extract the injected PE:
vol -f memory.dmp windows.malfind --dump --pid 3412
vol -f memory.dmp windows.dlllist --pid 3412
Lists all DLLs loaded into a process. A DLL present here but absent from disk — or loaded from an unusual path — indicates injection or side-loading.
vol -f memory.dmp windows.netscan
Proto LocalAddr LocalPort ForeignAddr ForeignPort State PID
TCP 192.168.1.100 49201 185.220.x.x 443 ESTABLISHED 3412
Recovers both active and recently closed connections. Useful when C2 communication has stopped but the connection record is still in memory.
vol -f memory.dmp windows.cmdline
PID Process Cmdline
4201 cmd.exe cmd.exe /c powershell -enc SQBFAFgA...
Shows the exact command line each process was launched with — critical for identifying LOLBin abuse and encoded PowerShell payloads.
| Plugin | Purpose |
|---|---|
windows.handles | List open handles (files, registry, mutexes) per process |
windows.procdump | Dump process executable from memory to disk |
windows.vaddump | Dump all memory regions of a process |
windows.filescan | Find file objects in memory (cached files) |
windows.registry.printkey | Read registry keys from memory |
windows.svcscan | List Windows services including hidden ones |
1. vol windows.info → confirm OS version and profile
2. vol windows.pslist → baseline process list
3. vol windows.psscan → compare with pslist → hidden PIDs?
4. vol windows.cmdline → check command lines for suspicious args
5. vol windows.netscan → map network connections to PIDs
6. vol windows.malfind → detect injected code → dump suspects
7. vol windows.dlllist --pid X → check DLLs in suspicious processes
8. vol windows.handles --pid X → check for unusual mutex/file handles
9. Dump suspicious regions:
windows.procdump --pid X
windows.vaddump --pid X --dump-dir ./output/
10. Submit dumps to VirusTotal or analyse in IDA/Ghidra
malfind flags a region as suspicious when ALL of the following are true:
VirtualAlloc, not mapped from a fileA legitimate DLL is mapped from disk (not private). Injected code is allocated (private). This distinction is the fundamental basis for malfind''s detection logic.
Refer to REMA eBook 2026, Figure 5.8 for the Volatility analysis workflow diagram.