The standard of Incident Response differs from organizational cunts to other cunts. NIST:(PDCP)

1. Preparation
2. Detection and Analysis
3. Containment, Eradication and Recovery
4. Post-Incident Activity

Similary, from SANS handbook: (PICERL)

1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Lessons Learned

Memory Analysis Introduction

Volatile Memory

Memory that stores data and holds it while the computer is running. So you better capture it while it lasts asap.

Concept of Virtual Memory: When a program runs, the OS assigns it virtual memory in the RAM or even DISK if needed. If the RAM is full, then swap memory space (that is reserved) in the DISK is used to store the data ( all done by OS under the hood). This impacts memory analysis because some forensic artifacts may reside in RAM while other may be temporarily stored in the swap files.

RAM Structure

• Kernel Space- reserved for OS and low level services like device drivers and memory access.
• User space- for user and user applications. Each process gets it own separate space, protected (probably paged).

Within a user process, it has several regions:

• Stack- for temporary data brrr
• Heap- for DMA of objects and buffers
• Executable (.text) - stores the actual code or instruction the CPU runs.
• Data Sections- Stores global variables and stuffs the executable needs.

For basic example, encryption key may be found on heap and shell commands may be on the stack.

RAM for Forensic Analysis

RAM Includes:

• Running processes and loaded exe
• Open network connections and ports.
• Logged in users and recent commands
• Decrypted content, including encryption keys
• Injected code or fileless malware or fileless interpreters

The information stored in RAM often reveals evidence not available in disk forensics, especially for attacks that do not write files to disk.

Memory forensics is often used early in an investigation to capture data that disappears on shutdown. It helps collect active processes, network connections and other live artificats.

It is very useful when dealing with in-memory threats, fileless malware, or credential theft. Memory analysis provides a snapshot of system activity that can help during an investigation.

Memory Dumps

A memory dump is a snapshot of a system's RAM at a specific point in a time.

Tools like Mimikatz are often used to extract credentials directly from memory, making memory dumps an important defensive focus.

How Memory Dumps are Created?

On Windows, tools like built in crash dumps, Sysinternals’ RAMMap, or third-party utilities such as WinPmem and FTK Imager can be used to generate full or selective memory captures.

Some methods include kernel mode dupms located at %SystemRoot%\MEMORY.DMP ad hibernation files stored as %SystemDrive%\hiberfil.sys.

On Linux and macOS, we can use tools like LiME (Linux Memory Extractor) or dd with access to /dev/mem or /proc/kcore, depending on kernel protections.

Types:

• Full Memory Dump- Captures the whole RAM, including user space and kernel space. Useful for Malware Analysis.
• Process Dump - Captures the memory of a single running process.
• Pagefile and Swap Analysis - On Windows, memory content is stored in pagefile.sys when disk is used, and on Linux, in the swap partition or swapfile. These can contain fragments of data that were once in RAM, offering additional context.

Challenges in Memory Acquisition

Attackers may deploy anti-forensics techniques to tamper with memory capture tools or hide their presence in RAM. Common examples include:

Memory-Based Threat Indicators

Common artifcats that analysts look for in memory:

• Suspicious or malicious process that are running without a corresponding file on disk.
• DLL injection where malicious code is injected into memory space of legit process.
• Process hollowing, where the memory of a trusted process is replaced with malicious code.
• API hooking, used to intercept or alter normal function calls to hide activity or manipulate system behavior.
• Rootkits, especially those operating in kernel space which manipulate memory structures to hide files, processes or network connections.

Credential Access Attacks

1. T1071 - Application Layer Protocol : Command and Control

Modern malware often communicates with external servers without dropping files. This fileless malware uses memory-resident payloads to fetch commands or exfiltrate data through standard protocols like HTTP, HTTPS, or DNS. In memory, analysts can find decrypted C2 configurations, IP addresses, or beacons that are not logged anywhere else to try to find artifacts.

C2 - Command and Control

In cybersecurity and malware analysis, C2 is the communication channel between:

• 📱 Infected systems (bots, implants, RATs)

• 🌐 Attacker’s command servers

In-Memory Script Execution (T1086)

T1086 – PowerShell
Scripts executed directly from memory are harder to trace because they don't touch the disk. Attackers use PowerShell or other interpreters (e.g., Python, WMI) to execute code in RAM. Memory analysis may reveal full script contents, encoded commands, or runtime artifacts in the PowerShell process memory.

Persistence Techniques in Memory

These persistence mechanisms can be identified by spotting related artifacts during a live memory analysis:

T1053.005 – Scheduled Task/Job: Scheduled Task
Task Scheduler creates jobs that execute at intervals or startup. During a memory analysis, we can look for processes like schtasks.exe and memory strings that contain task names or malicious payload paths.

T1543.003 – Create or Modify System Process: Windows Service
Malicious services may run in the background under services.exe. We may find unusual service names, binaries, or configurations in memory that can relate to this technique.

T1547.001 – Registry Run Keys / Startup Folder
Malware adds entries to HKCU\Software\Microsoft\Windows\CurrentVersion\Run to execute on boot. These values can often be recovered from memory or found within registry hives cached in RAM.

Lateral Movement via Memory Artifacts

Memory forensics can also expose attempts at lateral movement across systems. Common techniques include:

T1021.002 – Remote Services: SMB/Windows Admin Shares (PsExec)
PsExec enables command execution on remote systems. Analysts might find PsExec-related services or command-line arguments in memory indicating lateral movement.

T1021.006 – Remote Services: Windows Remote Management (WinRM)
WinRM provides PowerShell remoting. Look for wsmprovhost.exe and memory references to remote session initialization.

T1059.001 – Command and Scripting Interpreter: PowerShell (Remote)
PowerShell is commonly used for remote command execution. Analysts can detect base64-encoded or obfuscated commands within memory of the PowerShell process.

T1047 – Windows Management Instrumentation (WMI)
WMI commands like wmic process call create may be used to spawn remote processes. Associated command strings or class references may be cached in memory.

Volatility Essentials

Objectives:

• Getting familiar with Volatility Framework
• Navigate and utilise basic Volatility commands and plugins
• Conduct forensic analysis to identify key artifacts such as running processes and loaded DLL using Volatility

Volatility Overview

Volatility is an open-source memory forensics framework that is cross-platform, modular and extensible.

Architectural Overview

• Memory layers: These layers represent the hierarchy of address spaces, from raw memory to virtual address translations.
• Symbol tables: The tables enable kernel and process structures to be interpreted through OS-specific debugging symbols.
• Plugins: These are modular routines that leverage the underlying memory layers and symbol tables to extract artefacts of forensic interest.