BIPI
BIPI

Windows Memory Forensics with Volatility 3 and MemProcFS

Cybersecurity

From acquisition to artifacts: a working memory forensics playbook using WinPmem, Volatility 3, and MemProcFS to recover credentials, injected code, malicious drivers, and rootkit traces.

By Arjun Raghavan, Security & Systems Lead, BIPI · April 29, 2025 · 12 min read

#forensics#memory#volatility#memprocfs#incident-response

Why memory still matters

Disk forensics catches dropped files. Memory forensics catches everything else: in-memory only payloads, decrypted secrets, network sockets, injected threads, unhooked drivers. Modern intrusions live in RAM specifically to defeat disk-centric investigators.

Acquisition

  • WinPmem (Rekall): minidump-style, open source, single binary
  • DumpIt: portable, raw or Microsoft crash dump format
  • Magnet RAM Capture: GUI-friendly, free for IR teams
  • Hypervisor snapshot: VMware .vmem plus .vmsn for VMs, zero footprint

Volatility 3 essentials

  • windows.pslist and windows.pstree for process enumeration
  • windows.cmdline for full command-line strings (catches encoded PS)
  • windows.netscan for active and recently closed sockets
  • windows.malfind for RWX regions with no mapped file (injection)
  • windows.dlllist and windows.ldrmodules for unlinked / hidden modules
  • windows.svcscan for service entries including parent EXE/DLL

Credential extraction

MemProcFS: memory as a filesystem

MemProcFS mounts a memory image as a Windows or Linux filesystem. Each process is a folder; registry hives, virtual memory, handles, modules, and forensic artifacts appear as files. Pair with Volatility 3 for the best of both worlds.

Detecting injection

  • windows.malfind flags PAGE_EXECUTE_READWRITE with no mapped image
  • windows.hollowfind catches process hollowing (PEB mismatch)
  • Check ImageBase vs VAD entries for stomped modules
  • MemProcFS forensic\findevil\ aggregates suspicious indicators

Rootkit and driver hunting

  • windows.driverscan vs windows.modules to find unlinked drivers
  • windows.ssdt for syscall table hooks (rare but informative)
  • windows.callbacks for kernel notification routine hijacks
  • windows.psxview cross-references process list sources to spot DKOM

Timeline reconstruction

Volatility 3 windows.shimcache plus windows.amcache plus MemProcFS timeline give a rich first 24 hours: process executions with timestamps, registry write times, prefetch traces, scheduled task firings. Cross-walk with disk MFT to confirm.

What to ship to the SOC

  1. pstree.txt with cmdline annotations
  2. netscan.txt filtered to ESTABLISHED + LISTENING from non-system processes
  3. malfind dumps as raw bins for sandbox detonation
  4. hashdump and lsadump for credential rotation triage
  5. MemProcFS findevil + timeline for the incident write-up
majority
In-memory only intrusions in 2024 IR reports
<10 min
Time to first IOC with MemProcFS findevil
5 to 50
Credentials recovered from a typical LSASS dump
If you only do disk forensics in 2024, you are reading yesterday's newspaper.

Wrap

Volatility 3 plus MemProcFS plus pypykatz cover credentials, injection, persistence, and timeline in one acquisition. Acquire early, acquire often, and keep symbols cached for the day the network is down.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.