Memory forensics is the practice of analyzing a computer’s RAM dump to uncover evidence that never touches the disk — running malware, injected code, decrypted strings, network connections, and credentials. Volatility is the industry-standard open-source framework for this work. Version 3 is a complete rewrite that’s faster, cleaner, and doesn’t require profile selection like Volatility 2 did. This guide walks you through the core workflow.
Installing Volatility 3
Install Volatility 3 via pip:
pip3 install volatility3
Or from source for the latest development version:
git clone https://github.com/volatilityfoundation/volatility3
cd volatility3
pip3 install -r requirements.txt
python3 vol.py --help
On Kali Linux, volatility3 may be available via apt:
sudo apt install volatility3
Acquiring a Memory Dump
Before analyzing, you need a raw memory image. Tools for acquisition include:
- WinPmem — open source, Windows (
winpmem.exe > memory.raw)
- DumpIt — single executable for Windows
- LiME (Linux Memory Extractor) — kernel module for Linux
- FTK Imager — GUI-based, includes memory acquisition
For practice, download pre-made memory samples from MemLabs on GitHub or the Volatility Foundation’s test images.
# WinPmem example
winpmem_mini.exe memory.raw
Basic Syntax
Volatility 3 commands follow this pattern:
python3 vol.py -f <memory.raw> <plugin>
For example:
python3 vol.py -f memory.raw windows.pslist
Volatility auto-detects the OS. Most plugins start with windows., linux., or mac..
Core Windows Plugins
Process Listing
# List running processes
python3 vol.py -f memory.raw windows.pslist
# More detailed process tree view
python3 vol.py -f memory.raw windows.pstree
# Find hidden/unlinked processes (rootkit detection)
python3 vol.py -f memory.raw windows.psscan
pslist walks the Active Process List — rootkits can hide from this by unlinking entries. psscan scans the raw memory pool headers and often finds hidden processes that pslist misses. Discrepancies between the two are suspicious.
Network Connections
python3 vol.py -f memory.raw windows.netstat
Shows active and recently closed TCP/UDP connections with process associations. Look for:
- Connections to unexpected IPs or ports
ESTABLISHED connections from system processes like svchost.exe to external IPs- Listening ports on unusual high-numbered ports
DLL and Module Listing
# List DLLs loaded by a specific process (PID 1234)
python3 vol.py -f memory.raw windows.dlllist --pid 1234
Compare loaded DLLs against what’s expected for a given process. A cmd.exe loading meterpreter.dll or an unknown DLL from C:\Temp is a clear red flag.
Memory-Mapped Files and VAD
# View Virtual Address Descriptor tree for a process
python3 vol.py -f memory.raw windows.vadinfo --pid 1234
The VAD tree describes how virtual memory is mapped. Look for regions marked PAGE_EXECUTE_READWRITE that aren’t backed by a file on disk — a common indicator of injected shellcode.
Injected Code Detection
python3 vol.py -f memory.raw windows.malfind
malfind identifies suspicious executable memory regions — specifically looking for RWX (read-write-execute) permissions with PE headers embedded in them. It dumps the suspicious region’s hex bytes and disassembly.
Example suspicious output:
PID: 1234 Process: explorer.exe
0x7f000000 MZ... (PE header in non-module memory)
This strongly indicates process injection.
Handles
python3 vol.py -f memory.raw windows.handles --pid 1234
Lists all kernel objects (files, registry keys, mutexes, threads) that a process has open. Malware often holds a mutex to prevent multiple instances from running — finding that mutex is useful for detection signatures.
Registry Hives
# List loaded registry hives
python3 vol.py -f memory.raw windows.registry.hivelist
# Print registry keys
python3 vol.py -f memory.raw windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
Persistence mechanisms often write to the Run key. Checking this from memory captures registry state at the time of the dump, even if the malware cleaned up on disk.
Command Line History
python3 vol.py -f memory.raw windows.cmdline
Shows the command-line arguments each process was launched with. A process launched with a base64-encoded PowerShell command or from a temp directory is worth investigating.
# Dump a specific process's executable
python3 vol.py -f memory.raw windows.dumpfiles --pid 1234
Extracted files can be submitted to VirusTotal or analyzed in a disassembler. Malware that unpacks itself in memory can be captured this way even if the on-disk binary is packed and obfuscated.
Practical Investigation Workflow
A typical memory forensics investigation follows this sequence:
- pslist / psscan — identify all processes, spot discrepancies
- pstree — understand parent-child relationships (malware often spawns from
Word.exe, Excel.exe, or browsers)
- netstat — check active connections, correlate with suspicious processes
- cmdline — review command-line arguments for every suspicious process
- dlllist — check for unknown or unexpected DLLs
- malfind — scan for injected shellcode or hollowed processes
- dumpfiles — extract and analyze suspicious executables
Practice Resources
- MemLabs: https://github.com/stuxnet999/MemLabs — CTF-style memory forensics challenges
- Volatility Workbench — GUI wrapper for Volatility, useful for beginners
- BlueTeamLabs Online — hands-on memory forensics exercises
- CyberDefenders.org — free DFIR challenges with memory images
Memory forensics is a critical skill for both red team (understanding what you leave behind) and blue team (detecting attacker activity in live RAM). Volatility 3’s automatic OS detection and clean plugin architecture make it accessible even for those new to DFIR work.