77%
of successful breaches in 2025 involved fileless or memory-resident malware techniques at some stage — disk forensics alone misses the majority of attack evidence
Volatility 3
the current standard open source memory analysis framework — supports Windows, Linux, and macOS memory images with 100+ analysis plugins
30 seconds
the approximate time to acquire a 16GB RAM image using WinPMem on a live Windows system — critical to capture before the system is rebooted and memory is lost
0 disk artifacts
fileless malware that runs entirely in PowerShell or reflectively loads DLLs creates zero file system artifacts — memory is the only forensic evidence source

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

When EDR alerts fire on a process behaving suspiciously but disk forensics finds nothing — no dropped files, no registry entries, no persistence mechanism — the attacker is likely operating in memory only. Fileless malware, reflective DLL injection, process hollowing, and PowerShell-based attacks leave their payloads exclusively in RAM. A reboot destroys all evidence.

Memory forensics captures a snapshot of RAM while the system is still running, preserving the in-memory state for analysis: running processes including injected code, open network connections (including active C2 channels), loaded modules, decrypted strings, and registry hive contents from the kernel's in-memory copy. This guide covers the acquisition and Volatility analysis workflow used in production incident response.

RAM acquisition: capturing memory before it disappears

Memory must be acquired from a live system before shutdown. The acquisition process must be completed quickly — on cloud instances, evidence may be captured via snapshot; on physical or virtual machines, a memory acquisition tool runs on the live system.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Volatility 3: the analysis framework

Volatility 3 is the current major version of the open source memory forensics framework. It uses symbol tables (ISF files) rather than profiles for OS identification — most modern Windows symbol tables are automatically retrieved from Microsoft's symbol server.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

High-value memory artifacts for specific attack techniques

Different attack techniques leave characteristic memory artifacts. Knowing what to look for reduces analysis time.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Linux and macOS memory forensics

Volatility 3 supports Linux and macOS memory analysis with the same plugin architecture. Linux analysis is particularly relevant for cloud server incidents.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

The bottom line

Memory forensics is the forensic discipline that exposes what disk analysis misses: fileless malware, injected code, active C2 connections, and decrypted payloads. The prerequisite is capturing RAM before reboot — WinPMem for Windows, LiME for Linux, cloud snapshots for cloud instances. Volatility 3's malfind, pslist, psscan, and netstat plugins address the most common incident response scenarios in under an hour of analysis. For organizations responding to sophisticated intrusions where disk forensics produces no findings, memory acquisition is the next step that often breaks the case open.

Frequently asked questions

Does memory acquisition require taking the system offline?

No — memory acquisition runs on the live system without requiring shutdown or reboot. WinPMem and LiME acquire from a running system. The system remains operational during acquisition, though there will be minor performance impact during the read. This is the key advantage of memory forensics: you capture the live state including active connections and in-memory malware without losing the evidence that a reboot would destroy. After acquisition completes, you have a point-in-time snapshot of RAM for offline analysis.

How do you analyze memory from a system you cannot physically access?

For remote memory acquisition: Velociraptor (open source IR platform) supports remote memory acquisition via an agent deployed on the endpoint — you trigger acquisition from the Velociraptor server and the memory image is uploaded to a collection server. For cloud VMs: use platform-specific mechanisms (AWS EC2 snapshot, Azure Run Command with WinPMem, GCP gcloud ssh). For EDR-integrated memory forensics: Crowdstrike Falcon, Microsoft Defender for Endpoint, and other enterprise EDR platforms include memory scanning capabilities that do not require full memory image acquisition — they run analysis modules against live process memory remotely.

What is the difference between Volatility 2 and Volatility 3?

Volatility 2 used 'profiles' — OS-specific data structure definitions compiled into the tool. Profiles required matching the exact OS version and build number. Volatility 3 uses ISF (Intermediate Symbol File) symbol tables derived from debug symbols, which are automatically retrieved from Microsoft's symbol server for Windows images — no manual profile selection required for most Windows versions. Volatility 3 also has improved performance for large memory images and a cleaner plugin API. Most new plugins are written for Volatility 3. Use Volatility 3 for new investigations; Volatility 2 legacy plugins may still be needed for very old OS versions or specialized use cases not yet ported.

Sources & references

  1. Volatility Foundation
  2. The Art of Memory Forensics (Ligh, Case, Levy, Walters)
  3. SANS Memory Forensics Cheat Sheet

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.