Memory Analysis with Volatility 3: Recovering Artifacts from a Compromised Host
Practical guide to memory forensics using Volatility 3 plugins to identify process injection, credential artifacts, and attacker tooling in RAM dumps.
Scenario
During an incident response engagement, we acquired a full memory dump from a domain controller exhibiting suspicious authentication patterns. This post walks through the Volatility 3 analysis workflow used to identify Cobalt Strike beacon injection.
Acquisition
Memory was captured using WinPMEM before containment actions altered runtime state:
winpmem.exe -o dc01-memory.raw --format raw
Critical: Capture memory before rebooting or terminating suspicious processes.
Initial Triage
# Identify profile automatically (Volatility 3)
vol -f dc01-memory.raw windows.info
# List processes
vol -f dc01-memory.raw windows.pslist
# Check for hidden processes
vol -f dc01-memory.raw windows.psscan
Compare pslist vs psscan output — discrepancies indicate DKOM or process hiding.
Detecting Process Injection
vol -f dc01-memory.raw windows.malfind --dump
vol -f dc01-memory.raw windows.vadinfo --pid 4892
The malfind plugin identified RWX memory regions in svchost.exe (PID 4892) — a strong indicator of reflective DLL injection.
# Suspicious VAD entry
Process: svchost.exe Pid: 4892
VAD Tag: VadS Protection: PAGE_EXECUTE_READWRITE
File: N/A
Credential Artifacts
vol -f dc01-memory.raw windows.lsadump
vol -f dc01-memory.raw windows.hashdump
vol -f dc01-memory.raw windows.cachedump
Warning: Handle credential output according to your organization’s evidence handling procedures.
Network Connections
vol -f dc01-memory.raw windows.netscan
Recovered connection to 185.x.x.x:443 from the injected svchost.exe process — correlating with firewall logs.
Timeline Reconstruction
vol -f dc01-memory.raw timeliner.Timeline
Combined with disk forensics, the timeline established:
- T+0: Initial access via VPN credential compromise
- T+4h: Cobalt Strike beacon injected into
svchost.exe - T+6h: LSASS credential access via handle duplication
Lessons Learned
Memory forensics provided the only evidence of in-memory-only tooling that left minimal disk artifacts. Always prioritize memory acquisition in IR engagements involving suspected APT activity.
References
Share this research
Related Research
CVE-2021-44228 Log4Shell: Root Cause, Exposure Mapping, and Detection
A real-world case study of Log4Shell, the Apache Log4j remote code execution vulnerability, with practical guidance for asset discovery, patching, and detection.
WannaCry Ransomware: Static Triage, Kill Switch Logic, and MS17-010 Lessons
A real-world malware analysis case study of WannaCry, focusing on its SMBv1 propagation, kill switch behavior, and defensive lessons from the 2017 outbreak.