Loopus Labs
LOOPUSLABS
Loopus

Pro Content

This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.

← Back to course
Incident Response & ForensicsMemory Forensics

Volatility Fundamentals

40 min
lab
+70 XP

Learning Objectives

  • Analyze memory images using Volatility
  • Extract process and network artifacts
  • Detect signs of malware and intrusion

Memory Analysis with Volatility

Volatility is the standard open-source framework for memory forensics. Understanding Volatility enables extraction and analysis of the artifacts hidden within memory images.

Getting Started

Volatility analyzes raw memory images. First, identify the correct profile—the operating system and version:

volatility -f memory.dmp imageinfo

The imageinfo plugin suggests matching profiles. Select the one matching the source system.

Core Plugins

Process enumeration reveals running programs:

volatility -f memory.dmp --profile=Win10x64 pslist
volatility -f memory.dmp --profile=Win10x64 pstree
volatility -f memory.dmp --profile=Win10x64 psscan

pslist shows the active process list. pstree shows parent-child relationships. psscan finds hidden processes by scanning memory rather than walking OS structures.

Network connections show communication:

volatility -f memory.dmp --profile=Win10x64 netscan

This reveals active and recent network connections with associated processes.

DLL analysis examines loaded libraries:

volatility -f memory.dmp --profile=Win10x64 dlllist -p 1234

Lists DLLs loaded by a specific process.

Handles show resources processes access:

volatility -f memory.dmp --profile=Win10x64 handles -p 1234 -t File

Shows file handles held by a process.

Detecting Malicious Activity

Hidden processes - Compare pslist to psscan. Processes in psscan but not pslist may be hidden by rootkits.

Process injection - malfind identifies memory regions with suspicious characteristics like executable code in non-executable areas.

volatility -f memory.dmp --profile=Win10x64 malfind

Suspicious DLLs - Look for DLLs loaded from unusual locations like temp directories.

Command lines - Extract full command lines with cmdline plugin. Look for suspicious arguments: encoded commands, download instructions, or malicious paths.

Extracting Artifacts

Dump processes - Export process executables for further analysis:

volatility -f memory.dmp --profile=Win10x64 procdump -p 1234 -D output/

Dump DLLs - Extract specific DLLs:

volatility -f memory.dmp --profile=Win10x64 dlldump -p 1234 -D output/

Strings extraction - Search for strings within specific processes or the entire image.

Combine plugin outputs to build a complete picture of system state at acquisition time.

Answer the Questions0 / 4 completed

📚 KnowledgeQuestion 1

How do you identify malware in memory?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 2

What Volatility plugin finds injected code?

Format: *******(7 chars)
Exact match required
📚 KnowledgeQuestion 3

What memory artifacts indicate compromise?

Format: ********(8 chars)
Exact match required
⌨️ Hands-OnQuestion 4

What Volatility plugin lists network data?

Format: *******(7 chars)
Exact match required
Answer all questions correctly to unlock the next lesson

Interactive Sandbox

Loading sandbox...

Submit Flag

Found the flag? Submit it below to complete this lesson.
Format: LOOPUS{...}

Previous
Answer all questions to continue