BIPI
BIPI

Memory Forensics with Volatility 3: Plugins That Actually Find Things

Cybersecurity

Memory analysis is where the modern attacker hides. We walk through the Volatility 3 plugins that surface Cobalt Strike beacons, in-memory loaders, and process hollowing without needing a malware analyst on call.

By Arjun Raghavan, Security & Systems Lead, BIPI · March 8, 2024 · 9 min read

#memory-forensics#volatility#dfir

Disk-only DFIR misses the part of the attack the adversary cares about most. Cobalt Strike beacons, Brute Ratel implants, and most modern loaders live in memory and never touch the file system as a recognizable artifact. Volatility 3 is the open-source tool that pulls them back into view.

Capture before you analyze

Memory disappears the moment you reboot. Before any containment action that involves power, capture a memory dump. On Windows we use WinPMEM, Magnet RAM Capture, or DumpIt. On Linux we use AVML. On macOS we use OSXPMem when the kernel version supports it, otherwise the analysis pivots to live response. Hash the output before it leaves the host. A 32 GB RAM dump is a 32 GB file, plan your evidence storage.

8 of 10
modern intrusions show their main payload only in memory
32 GB
typical workstation memory dump size in 2024
45 min
average Volatility analysis to find a Cobalt Strike beacon

The plugins you run first, every time

Volatility 3 dropped the profile selection headache from Volatility 2. Symbol tables auto-resolve for most recent Windows versions. The workflow we run on every memory dump starts with five plugins, in this order.

  1. windows.info, confirms OS version and validates the dump is parseable
  2. windows.pslist and windows.pstree, the process tree, look for orphan children of explorer.exe or services.exe
  3. windows.cmdline, full command lines, surfaces PowerShell encoded commands and rundll32 abuse
  4. windows.malfind, finds executable memory regions with no backing file, the classic injection signature
  5. windows.netscan, current and recent network connections with owning PID

Finding Cobalt Strike without a YARA rule

Cobalt Strike beacons are the most common in-memory payload we encounter. They show up in malfind as RWX regions in seemingly benign processes (svchost.exe, explorer.exe, rundll32.exe). Cross-check with ldrmodules to find DLLs loaded without being in the PEB lists, a classic reflective loading sign. Pull the bytes with vaddump and run them through 1768.py from Didier Stevens to extract the configuration.

Process hollowing and the parent-child mismatch

Process hollowing remains a common evasion. The attacker spawns a legitimate binary suspended, unmaps its image, writes malicious code, and resumes. The artifact is a process whose memory contents do not match its on-disk image. Run windows.dlllist and compare the loaded modules against a clean baseline of the same binary. windows.hollowfind from the community plugins surfaces this directly on Volatility 2; for Volatility 3 we run windows.modules and look for processes whose main module path does not match the expected location.

Network artifacts that disk forensics cannot give you

Memory holds connection state that disk does not. netscan surfaces connections in TIME_WAIT and CLOSED states that no longer appear in netstat output. We have caught beacon callbacks to C2 infrastructure that disappeared from the host before triage simply because they timed out. The PID-to-connection mapping is the part that disk artifacts cannot reproduce.

A real case: the 2023 healthcare intrusion

Last year we worked an intrusion where EDR was disabled for 11 hours during a patching window. The attacker dropped a Cobalt Strike loader, ran for those 11 hours, and the loader self-deleted before EDR came back online. Disk had nothing. Memory had the beacon resident in a hollowed svchost. malfind flagged the RWX region. vaddump pulled the bytes. The beacon config gave us the team server, which we then provided to law enforcement. Without the memory dump we would have closed the case as inconclusive.

Disk tells you what was. Memory tells you what is. Both matter and one of them is gone the moment someone hits the power button.

What new analysts get wrong

  • Skipping memory capture because the host has EDR (EDR cannot dump itself reliably)
  • Running plugins without confirming windows.info parsed cleanly
  • Treating malfind hits as conclusive without cross-checking ldrmodules
  • Forgetting that paged-out memory means some regions are not available

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.