Memory Forensics

Comprehensive memory forensics skill for analyzing RAM dumps and volatile memory artifacts. Enables detection of malware, rootkits, process injection, credential harvesting, and other memory-resident threats that leave no disk footprint.

Capabilities

• Memory Image Acquisition: Guide acquisition of memory dumps using various tools (WinPMEM, LIME, DumpIt, FTK Imager)
• Process Analysis: Enumerate running processes, detect hidden/injected processes, analyze process trees
• DLL/Module Analysis: Identify loaded modules, detect DLL injection, find hollowed processes
• Network Connection Analysis: Extract active network connections, listening ports, socket information
• Registry Hive Extraction: Extract registry hives from memory for offline analysis
• Credential Extraction: Locate and extract credentials, password hashes, Kerberos tickets
• Malware Detection: Detect code injection, API hooks, SSDT hooks, IDT modifications
• String Extraction: Extract strings, URLs, IPs, and other IOCs from memory regions
• Timeline Generation: Create memory-based timelines of process execution and system events
• Rootkit Detection: Identify kernel-level rootkits, hidden drivers, DKOM techniques

Quick Start