Memory & Network Forensics
55 min
Memory Forensics
RAM analysis is one of the most powerful forensic techniques. Running processes, network connections, encryption keys, passwords, and malware that exists only in memory can only be recovered from RAM.
VOLATILITY 3 - MEMORY ANALYSIS FRAMEWORK
══════════════════════════════════════════════
# List running processes
python vol.py -f memory.dmp windows.pslist
# Detect hidden/injected processes
python vol.py -f memory.dmp windows.psscan
python vol.py -f memory.dmp windows.pstree
# Network connections at time of capture
python vol.py -f memory.dmp windows.netstat
# Dump process memory (malware analysis)
python vol.py -f memory.dmp windows.memmap --pid 1234 --dump
# Find injected code (process hollowing, DLL injection)
python vol.py -f memory.dmp windows.malfind
# Extract registry hives from memory
python vol.py -f memory.dmp windows.hivelist
# Recover encryption keys (BitLocker, TrueCrypt)
python vol.py -f memory.dmp windows.bitlocker
══════════════════════════════════════════════
Network Forensics
Analyzing network traffic to reconstruct events, identify attackers, and recover transmitted data.
- Wireshark — GUI packet analyzer; deep protocol dissection; follow TCP streams
- tcpdump — CLI packet capture; scriptable for automated collection
- NetworkMiner — Passive analysis; reconstructs files from PCAP
- Zeek (Bro) — Network traffic analysis framework; generates rich log files
- Arkime (Moloch) — Large-scale PCAP storage and analysis
WIRESHARK FORENSIC FILTERS
──────────────────────────────────────────────
http.request.method == "POST" # Find data exfil via HTTP POST
dns.flags.response == 1 # DNS responses (name resolution)
tcp.flags.syn == 1 && tcp.flags.ack == 0 # New connections
ip.addr == 192.168.1.100 # Traffic from/to specific host
smtp # Email traffic
ftp-data # FTP file transfers
ssl.handshake.type == 1 # TLS Client Hello
──────────────────────────────────────────────