--- title: Memory Forensics category: product entity_type: skill price: $15 canonical: https://forgehouse.ai/skills/memory-forensics/ lang: en hreflang_alt: https://forgehouse.ai/tr/skiller/memory-forensics/ last_updated: 2026-06-20 --- # Memory Forensics > Master memory forensics techniques including memory acquisition, process analysis, and… A working playbook for acquiring and analyzing memory dumps to investigate incidents and analyze malware. It covers RAM capture across Windows, Linux, macOS, and virtual machines, then the full Volatility 3 plugin workflow for process, network, injection, and credential analysis. ## Use cases - Investigating a security incident from a RAM capture - Detecting hidden processes and rootkits that evade normal tools - Finding code injection and process-hollowing indicators in memory - Reconstructing an attack timeline from memory artifacts - Extracting strings, IOCs, and credentials from a dump - Maintaining chain of custody for forensically sound analysis ## Benefits - Move from raw dump to root cause with a structured, repeatable workflow - Surface threats that disk-only analysis misses by reading volatile evidence - Strengthen findings through cross-plugin validation instead of single-source guesses - Preserve evidence integrity to judicial standards with documented handling ## What’s included - Acquisition commands for Windows, Linux, macOS, and VM memory - Essential Volatility 3 plugin reference for process, network, DLL, and registry analysis - A complete malware-analysis and incident-response workflow - Injection-detection patterns and rootkit-comparison techniques - Memory-targeted YARA rule writing and scanning - String extraction, IOC enrichment, and credential-dump methods ## Who it’s for Incident responders, malware analysts, and digital forensics investigators working from RAM captures. ## How it runs Evidence starts losing value the moment a RAM image is handled wrong. Chain of custody opens the investigation, process surveys run as cross-checked command chains, and the attack timeline gets rebuilt last. 1. Acquires with chain of custody from minute one: a lightweight tool fit for the platform (WinPmem, LiME, a VM's .vmem file), SHA-256 hash recorded immediately, time and tool version logged, and the dump never written to again. 2. Runs the Volatility 3 process survey as a chain, not a single command: pslist for the visible list, pstree for parent-child anomalies, then psscan cross-checked against pslist, because a diff between the two exposes DKOM-hidden processes. 3. Maps network activity with netscan and feeds every suspicious IP back into the evidence: the IP is grepped in strings output, the matching process gets its DLLs and handles enumerated, and one IOC grows into a full attack chain. 4. Hunts injection from the assume-breach posture: malfind for executable-writable memory regions, ldrmodules for unlinked DLLs, the suspicious process memory dumped and run through strings, FLOSS and targeted YARA rules. 5. Checks persistence and credentials: Run key registry prints, service and scheduled task scans, and hash/LSA extraction where the case authorizes it. 6. Rebuilds the timeline last: timeliner output sorted by creation time into the first-access, privilege-escalation, lateral-movement, exfiltration sequence, correlated against disk and network timelines, with every command logged for evidentiary integrity. ## FAQ ### Does this only cover Windows dumps, or can I work with Linux, macOS, and VM memory too? Acquisition commands cover Windows, Linux, macOS, and virtual machine memory, and the Volatility 3 plugin workflow applies to all of them. Once you have a dump, the process, network, injection, and credential analysis steps are the same. ### How does it find processes that a rootkit hides from normal tools? It reads volatile evidence straight from the dump and validates findings across multiple Volatility plugins instead of trusting one source. Rootkit-comparison techniques flag the gap between what the OS reports and what memory actually contains. ### Will it capture the memory dump for me? No. It gives you the acquisition commands and chain-of-custody discipline, but someone still has to run the capture on the target machine. The analysis workflow starts from a dump you already have. ## Price $15, one-time, no subscription. VAT included. Related guide: [AI for application security](https://forgehouse.ai/guides/ai-application-security/)