Why Disk Forensics Misses the Story
Fileless malware, process injection, and in-memory credential theft leave minimal disk artifacts. Memory forensics captures what was actually running at the time of acquisition.
Acquisition
# Linux — avml (works on modern kernels)
avml /cases/host1_mem_$(date +%F_%H%M).lime
# Verify integrity
sha256sum /cases/host1_mem_*.lime > /cases/chain_of_custody.txt
Volatility 3 Basics
# Identify the OS profile
vol -f memory.lime windows.info
# Process list with parent/child relationships
vol -f memory.lime windows.pstree
# Network connections
vol -f memory.lime windows.netstat
# Injected memory regions
vol -f memory.lime windows.malfind
# Command history
vol -f memory.lime windows.cmdline
What to Look For
Process anomalies:
svchost.exewith unusual parent (should beservices.exe)- Unsigned processes in
System32with network connections
vol -f memory.lime windows.netstat | grep ESTABLISHED | awk '{print $8}' | sort -u
Yara Scanning Memory
vol -f memory.lime yarascan --yara-rules cobaltstrike.yar
Defensive Takeaways
- Deploy LSA Protection (
RunAsPPL) to prevent LSASS memory dumping - Credential Guard eliminates in-memory NTLM/Kerberos theft on supported systems
- Practice memory acquisition during exercises — it has to be fast in a real incident
- Retain memory images for at least 30 days post-incident for timeline reconstruction
Keep going
Get the next writeup in your inbox
New posts delivered when I publish. No spam.