Memory Forensics
Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.
Use this skill when
- - Working on memory forensics tasks or workflows
- Needing guidance, best practices, or checklists for memory forensics
Do not use this skill when
- - The task is unrelated to memory forensics
- You need a different domain or tool outside this scope
Instructions
- - Clarify goals, constraints, and required inputs.
- Apply relevant best practices and validate outcomes.
- Provide actionable steps and verification.
- If detailed examples are required, open
resources/implementation-playbook.md.
Memory Acquisition
Live Acquisition Tools
Windows
�CODEBLOCK0
Linux
�CODEBLOCK1
macOS
�CODEBLOCK2
Virtual Machine Memory
CODEBLOCK3
Volatility 3 Framework
Installation and Setup
CODEBLOCK4
Essential Plugins
Process Analysis
�CODEBLOCK5
Network Analysis
�CODEBLOCK6
DLL and Module Analysis
�CODEBLOCK7
Memory Injection Detection
�CODEBLOCK8
Registry Analysis
�CODEBLOCK9
File System Artifacts
�CODEBLOCK10
Linux Analysis
CODEBLOCK11
macOS Analysis
CODEBLOCK12
Analysis Workflows
Malware Analysis Workflow
CODEBLOCK13
Incident Response Workflow
CODEBLOCK14
Data Structures
Windows Process Structures
CODEBLOCK15
VAD (Virtual Address Descriptor)
CODEBLOCK16
Detection Patterns
Process Injection Indicators
CODEBLOCK17
Rootkit Detection
CODEBLOCK18
Credential Extraction
CODEBLOCK19
YARA Integration
Writing Memory YARA Rules
CODEBLOCK20
Scanning Memory
CODEBLOCK21
String Analysis
Extracting Strings
CODEBLOCK22
FLOSS for Obfuscated Strings
CODEBLOCK23
Best Practices
Acquisition Best Practices
- 1. Minimize footprint: Use lightweight acquisition tools
- Document everything: Record time, tool, and hash of capture
- Verify integrity: Hash memory dump immediately after capture
- Chain of custody: Maintain proper forensic handling
Analysis Best Practices
- 1. Start broad: Get overview before deep diving
- Cross-reference: Use multiple plugins for same data
- Timeline correlation: Correlate memory findings with disk/network
- Document findings: Keep detailed notes and screenshots
- Validate results: Verify findings through multiple methods
Common Pitfalls
- - Stale data: Memory is volatile, analyze promptly
- Incomplete dumps: Verify dump size matches expected RAM
- Symbol issues: Ensure correct symbol files for OS version
- Smear: Memory may change during acquisition
- Encryption: Some data may be encrypted in memory
内存取证
用于从内存转储中获取、分析和提取痕迹的全面技术,适用于事件响应和恶意软件分析。
使用此技能的场景
- - 处理内存取证任务或工作流时
- 需要内存取证的指导、最佳实践或检查清单时
不使用此技能的场景
- - 任务与内存取证无关时
- 需要此范围之外的其他领域或工具时
使用说明
- - 明确目标、约束条件和所需输入。
- 应用相关最佳实践并验证结果。
- 提供可操作的步骤和验证方法。
- 如需详细示例,请打开 resources/implementation-playbook.md。
内存获取
实时获取工具
Windows
powershell
WinPmem(推荐)
winpmem
minix64.exe memory.raw
DumpIt
DumpIt.exe
Belkasoft RAM Capturer
基于GUI,输出raw格式
Magnet RAM Capture
基于GUI,输出raw格式
Linux
bash
LiME(Linux内存提取器)
sudo insmod lime.ko path=/tmp/memory.lime format=lime
/dev/mem(有限制,需要权限)
sudo dd if=/dev/mem of=memory.raw bs=1M
/proc/kcore(ELF格式)
sudo cp /proc/kcore memory.elf
macOS
bash
osxpmem
sudo ./osxpmem -o memory.raw
MacQuisition(商业软件)
虚拟机内存
bash
VMware:.vmem文件即为原始内存
cp vm.vmem memory.raw
VirtualBox:使用调试控制台
vboxmanage debugvm VMName dumpvmcore --filename memory.elf
QEMU
virsh dump
memory.raw --memory-only
Hyper-V
检查点包含内存状态
Volatility 3框架
安装与设置
bash
安装Volatility 3
pip install volatility3
安装符号表(Windows)
从 https://downloads.volatilityfoundation.org/volatility3/symbols/ 下载
基本用法
vol -f memory.raw <插件>
指定符号路径
vol -f memory.raw -s /path/to/symbols windows.pslist
核心插件
进程分析
bash
列出进程
vol -f memory.raw windows.pslist
进程树(父子关系)
vol -f memory.raw windows.pstree
隐藏进程检测
vol -f memory.raw windows.psscan
进程内存转储
vol -f memory.raw windows.memmap --pid --dump
进程环境变量
vol -f memory.raw windows.envars --pid
命令行参数
vol -f memory.raw windows.cmdline
网络分析
bash
网络连接
vol -f memory.raw windows.netscan
网络连接状态
vol -f memory.raw windows.netstat
DLL与模块分析
bash
每个进程加载的DLL
vol -f memory.raw windows.dlllist --pid
查找隐藏/注入的DLL
vol -f memory.raw windows.ldrmodules
内核模块
vol -f memory.raw windows.modules
模块转储
vol -f memory.raw windows.moddump --pid
内存注入检测
bash
检测代码注入
vol -f memory.raw windows.malfind
VAD(虚拟地址描述符)分析
vol -f memory.raw windows.vadinfo --pid
转储可疑内存区域
vol -f memory.raw windows.vadyarascan --yara-rules rules.yar
注册表分析
bash
列出注册表配置单元
vol -f memory.raw windows.registry.hivelist
打印注册表键值
vol -f memory.raw windows.registry.printkey --key Software\Microsoft\Windows\CurrentVersion\Run
转储注册表配置单元
vol -f memory.raw windows.registry.hivescan --dump
文件系统痕迹
bash
扫描文件对象
vol -f memory.raw windows.filescan
从内存中转储文件
vol -f memory.raw windows.dumpfiles --pid
MFT分析
vol -f memory.raw windows.mftscan
Linux分析
bash
进程列表
vol -f memory.raw linux.pslist
进程树
vol -f memory.raw linux.pstree
Bash历史
vol -f memory.raw linux.bash
网络连接
vol -f memory.raw linux.sockstat
已加载的内核模块
vol -f memory.raw linux.lsmod
挂载点
vol -f memory.raw linux.mount
环境变量
vol -f memory.raw linux.envars
macOS分析
bash
进程列表
vol -f memory.raw mac.pslist
进程树
vol -f memory.raw mac.pstree
网络连接
vol -f memory.raw mac.netstat
内核扩展
vol -f memory.raw mac.lsmod
分析工作流
恶意软件分析工作流
bash
1. 初始进程调查
vol -f memory.raw windows.pstree > processes.txt
vol -f memory.raw windows.pslist > pslist.txt
2. 网络连接
vol -f memory.raw windows.netscan > network.txt
3. 检测注入
vol -f memory.raw windows.malfind > malfind.txt
4. 分析可疑进程
vol -f memory.raw windows.dlllist --pid
vol -f memory.raw windows.handles --pid
5. 转储可疑可执行文件
vol -f memory.raw windows.pslist --pid --dump
6. 从转储中提取字符串
strings -a pid..exe > strings.txt
7. YARA扫描
vol -f memory.raw windows.yarascan --yara-rules malware.yar
事件响应工作流
bash
1. 事件时间线
vol -f memory.raw windows.timeliner > timeline.csv
2. 用户活动
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.consoles
3. 持久化机制
vol -f memory.raw windows.registry.printkey \
--key Software\Microsoft\Windows\CurrentVersion\Run
4. 服务
vol -f memory.raw windows.svcscan
5. 计划任务
vol -f memory.raw windows.scheduled_tasks
6. 最近文件
vol -f memory.raw windows.filescan | grep -i recent
数据结构
Windows进程结构
c
// EPROCESS(执行进程)
typedef struct _EPROCESS {
KPROCESS Pcb; // 内核进程块
EXPUSHLOCK ProcessLock;
LARGE_INTEGER CreateTime;
LARGE_INTEGER ExitTime;
// ...
LIST_ENTRY ActiveProcessLinks; // 双向链表
ULONG_PTR UniqueProcessId; // PID
// ...
PEB* Peb; // 进程环境块
// ...
} EPROCESS;
// PEB(进程环境块)
typedef struct _PEB {
BOOLEAN InheritedAddressSpace;
BOOLEAN ReadImageFileExecOptions;
BOOLEAN BeingDebugged; // 反调试检查
// ...
PVOID ImageBaseAddress; // 可执行文件基址
PPEBLDRDATA Ldr; // 加载器数据(DLL列表)
PRTLUSERPROCESS_PARAMETERS ProcessParameters;
// ...
} PEB;
VAD(虚拟地址描述符)
c
typedef struct _MMVAD {
MMVAD_SHORT Core;
union {
ULONG LongFlags;
MMVAD_FLAGS VadFlags;
} u;
// ...
PVOID FirstPrototypePte;
PVOID LastContiguousPte;
// ...
PFILE_OBJECT FileObject;
} MMVAD;
// 内存保护标志
#define PAGE_EXECUTE 0x10
#define PAGEEXECUTEREAD 0x20
#define PAGEEXECUTEREADWRITE 0x40
#define PAGEEXECUTEWRITECOPY 0x80
检测模式
进程注入指标
python
Malfind指标
#
