memory-forensics

What problem does it solve?

This Skill enables analysts to analyze volatile memory dumps to detect malware, rootkits, credential theft, and memory-resident activity, accelerating investigations and response.

Core Features & Use Cases

• Memory Image Acquisition: Guide acquisition of memory dumps using tools such as WinPMEM, Lime, DumpIt, or FTK Imager.
• Process Analysis: Enumerate running processes, detect hidden or injected processes, and analyze process trees.
• DLL/Module Analysis: Identify loaded modules, detect DLL injection, and identify hollowed processes.
• Network Connection Analysis: Extract active network connections, listening ports, and socket information, and map to processes.
• Registry Hive Extraction: Extract memory-resident registry hive data for offline analysis.
• Credential Extraction: Locate credentials, password hashes, Kerberos tickets, and cached credentials in memory.
• Malware and Rootkit Detection: Detect code injection, API hooks, SSDT/IDT modifications, and DKOM indicators.
• Timeline Generation: Build memory-based timelines of process execution and system events.
• Use Case: In a malware outbreak, rapidly identify memory-resident indicators and reconstruct the attack chain.

Quick Start

Start by loading a memory image and initializing the analysis pipeline to enumerate processes and detect suspicious activity.