Conducting Memory Forensics with Volatility

When to Use

• An endpoint has been contained during an active incident and volatile evidence must be preserved
• EDR alerts suggest process injection or fileless malware that only exists in memory
• Encryption keys need to be recovered from a ransomware-infected system before shutdown
• Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
• A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient

Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.

Prerequisites

• Memory acquisition tool deployed or available: WinPmem, Magnet RAM Capture, DumpIt, or AVML (Linux)
• Volatility 3 installed with Python 3.8+ and required symbol tables
• Sufficient storage for memory dumps (equal to system RAM size, typically 8-64 GB)
• YARA rules for malware detection in memory (Florian Roth's signature-base, custom rules)
• Reference baseline of normal processes and DLLs for the OS version being analyzed