Memory Forensics (Volatility 3 / Memory Baseliner)

What problem does it solve?

Memory images often contain concealed processes, injected code, and historical network/service activity that aren’t visible from disk alone, making incident triage slow and incomplete.

Core Features & Use Cases

• Hidden process and anomaly discovery: Use Volatility 3 to enumerate processes and highlight discrepancies (psscan vs pslist), then expand into parent-child, command-line, tokens/privileges, handles, and loaded DLLs to explain suspicious activity.
• Code injection and artifact extraction: Identify RWX/VAD anomalies and suspicious memory regions (malfind, vadinfo, vadyarascan), then dump relevant files and process memory for deeper inspection.
• Baseline-based deviation detection: Compare suspect images against a known-good JSON baseline (processes, drivers, services) using Memory Baseliner to focus analyst attention on what truly changed.

Quick Start

Run Volatility 3 memory analysis as root on your image to produce process, network, injection, and extraction artifacts: use the memory-analysis skill with your Windows memory image path, then follow its recommended plugin sequence to write outputs into the analysis and exports directories.