MEMORY FORENSICS
NETWORK SECURITY — VOLATILITY ANALYSIS LAB
PSLIST · PSTREE · MALFIND · STRINGS · NETSCAN · YARA
Loading memory image: WKSTN-016.mem (4GB)...

OBJECTIVES

List running processes (pslist)
Find the suspicious process name
Identify the abnormal parent process
Run malfind — detect injected code
Extract strings from malicious PID
Find the C2 address in strings
Scan network connections (netscan)
Submit the forensics report
🧠
Volatility
🌲
Process Tree
🔤
Strings
🛡️
YARA Editor
📖
Reference
📝
Notepad
📋
Report
MEM FORENSICS
Volatility
Process Tree
Strings
YARA
Reference
Notepad
Report
--:--:--
PHASE 1 — PROCESS ANALYSIS
MISSION BRIEF
NETWORK SECURITY — MEMORY FORENSICS

MEMORY FORENSICS

IMAGE: WKSTN-016.mem — Windows 10 22H2 (x64)

SCENARIO

EDR telemetry flagged WKSTN-016 for anomalous memory activity. The endpoint was imaged before it could be wiped. You have a 4GB RAM capture from the live system. Use Volatility 3 to analyse the memory image, identify the malware, and extract indicators.

MEMORY IMAGE

PropertyValue
FileWKSTN-016.mem
OSWindows 10 22H2 x64
Size4096 MB
Capture time2026-05-08 09:44 UTC
HostnameWKSTN-016
Userj.porter

VOLATILITY COMMANDS

  • pslist — list running processes
  • pstree — process parent/child hierarchy
  • psscan — scan for hidden processes
  • malfind — find injected code regions
  • strings -pid [N] — extract strings from process
  • netscan — active network connections
  • dlllist -pid [N] — loaded DLLs for a process
  • cmdline — process command lines
  • filescan — files mapped into memory
  • help — show all commands
VOLATILITY 3 — WKSTN-016.mem
Volatility Foundation Volatility Framework 3.2.1
Image: WKSTN-016.mem | OS: Windows 10 22H2 x64
Type "help" for available plugins, or start with "pslist"
vol3>
PROCESS TREE — WKSTN-016
Run "pstree" in Volatility to populate this view
STRINGS EXTRACTOR
Select a process to extract strings...
YARA RULE EDITOR
REFERENCE — MEMORY FORENSICS
VOLATILITY 3 SYNTAX
vol3> pslist vol3> pstree vol3> psscan vol3> malfind vol3> netscan vol3> cmdline vol3> dlllist -pid 2196 vol3> strings -pid 2196 vol3> filescan vol3> handles -pid 2196
PROCESS ANOMALIES
Look for: processes with unusual parent processes, misspelled names (svch0st vs svchost), processes running from temp directories, unexpected process counts (e.g. two lsass.exe), unusual process paths (svchost should always be System32).

Normal svchost.exe parents: services.exe
Normal explorer.exe parent: userinit.exe or winlogon.exe
MALFIND
Identifies memory regions with Execute+Write permissions that contain code — a signature of process injection. Legitimate DLLs are read-only after loading. Writable executable memory = shellcode or injected payload.
PROCESS INJECTION INDICATORS
VAD with PAGE_EXECUTE_READWRITE
MZ header at start of non-module region
High entropy memory regions
No backing file on disk
Sysmon Event ID 8 (CreateRemoteThread)
YARA RULE STRUCTURE
rule RuleName { meta: author = "analyst" description = "Detects X" strings: $s1 = "suspicious string" $s2 = { 4D 5A 90 00 } // hex $re1 = /update-[a-z]+\.net/ condition: $s1 and $s2 // or: any of them // or: 2 of ($s*) }
COMMON C2 INDICATORS IN STRINGS
Domain names / IP addresses in plain text
HTTP User-Agent strings
Encoded commands (Base64)
Registry persistence keys
Mutex names (prevent double-infection)
Hardcoded credentials or keys
NOTEPAD
FORENSICS REPORT
FINDINGS
Score: 0 / 8