---
title: 5. Understanding MEMORY FORENSICS.
---
# 1. Learn about some tools used in Memory Forensics such as **Volatility, MemProcFS.**
Memory Forensics is the process to anazly Volatility memory (RAM) to extract information about what a system was doing at given point in time. It is epecially useful in incident response , malware analyze and digital forensic.
## ๐น Volatility Framework.
The Volatility Framework has become the worldโs most widely used memory forensics tool - relied upon by law enforcement, military, academia, and commercial investigators around the world. The Volatility Foundation helps keep Volatility going so that it may be used in perpetuity, free and open to all.
+ key features
- **Extract the process, network connection , DLL, registry hive, etc.**
- **support plugin for anazly tasks.**
- **python-based,scriptable, and extenable.**
๐ *Common use*
- **finding malware in RAM.**
- **Recover delete files.**
- **Dumping credentials. etc(password and hashes).**
- **Deteching rootkit and hidden process (unsual activities).**
Basic usage:
- `python3 volatility3/vol.py -f 20250312.mem windows.info `
- `python2 volatility/vol.py -f 20250312.mem imageinfo `
๐ *Popular plugin*
- pslist : list active process
- netscan : scan for hidden process
- dlllist : list load dll
- hashdump : dump password hash from memory
Versions:
- volatility2 : older and support python2.
- volatility3 : latest and rewrite python3.
Links: https://volatilityfoundation.org/
## ๐น MemProcFS (Memory Process File System)
MemProcFS is an advanced tools that mount a memory dump as a virtual file system, allowing investigator to browse memory as if it alive file system.
+ key features
- **memory dump is mounted as a virtual FS under /mnt/memfs/**
- **process, memory pages, PE headers, DLL, registry hives can be accessed directly as files**.
- **work on windows and linux**
- **provide an powerfull GUI + CLI**
๐ *Common use case*
- **extract file from memory(exe, pdf and dll)**
- **Analzy malware code directly from memory**
- **intergrating with other tools like ida Pro and ghidra**.
- **Easy access for scripting and automation.**
Example:
after mounting, you might browse **/mnt/memfs/Process/1234** to see the memory of process with pid.
Link: https://github.com/ufrisk/MemProcFS
## ๐น Learn how to create volatility profile 2/symbol volatility 3
Learn about virtual address, physical address, process information such as pid, ppid, process name, commandline.
Learn about process dump
Create profile: Ubuntu version < 22.04 using virtual machine (write wu in detail how to do it)
### Download Ubuntu 20.04 LTS
https://releases.ubuntu.com/20.04/ubuntu-20.04.6-desktop-amd64.iso
Create symbol: Debian using virtual machine (write wu in detail how to do it)
https://youtu.be/EqGoGwVCVwM?si=dq2s1s4xE1meJHhC
Do the following challenges, write wu in detail:
https://github.com/stuxnet999/MemLabs
### MemLabs Lab 0 - Never Too Late Mister
This directory has been created to aid first-timers in learning how to approach a CTF-styled memory forensics challenge and also learn the plugins of the memory analysis framework, Volatility.
So here I'll be writing a very elaborate walkthrough of a memory forensics challenge which I made for the BSides Delhi CTF 2018. The challenge is fairly easy in difficulty and I believe will be a great example challenge for everyone new to this.
Onto the challenge now.
Challenge Description
My friend John is an "environmental" activist and a humanitarian. He hated the ideology of Thanos from the Avengers: Infinity War. He sucks at programming. He used too many variables while writing any program. One day, John gave me a memory dump and asked me to find out what he was doing while he took the dump. Can you figure it out for me?
Challenge file: https://drive.google.com/file/d/1MjMGRiPzweCOdikO3DTaVfbdBK5kyynT/view
profile = Win7SP1x86_23418
i see something suspect demon.py
in order to extract it we have to use consoles
python2 volatility/vol.py -f Challenge.raw --profile=Win7SP1x86_23418 consoles
i cann't decode it
i ask chatgpt to bruteforce it xor
python2 volatility/vol.py -f Challenge.raw --profile=Win7SP1x86_23418 hashdump
https://hashes.com/en/decrypt/hash
flag{you_are_good_but1_4m_b3tt3r}4
### Memlab2
python3 volatility3/vol.py -f MemoryDump_Lab1.raw windows.cmdline
python3 volatility3/vol.py -f MemoryDump_Lab1.raw windows.filescan | grep -i important.rar
to see virtual address
to dump it out
python3 volatility3/vol.py -f MemoryDump_Lab1.raw windows.dumpfiles --physaddr 0x3fa3ebc0
i see flag.png
i see it mention alisa account
password: F4FF64C8BAAC57D22F22EDC681055BA6
flag{w3ll_3rd_stage_was_easy}
### Memlab2 : https://mega.nz/file/ChoDHaja#1XvuQd49c7-7kgJvPXIEAst-NXi8L3ggwienE1uoZTk
when i check python2 volatility/vol.py -f MemoryDump_Lab2.raw --profil=Win7SP1x64 consoles
it is nothing!!!
#### python2 volatility/vol.py -f MemoryDump_Lab2.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003fce1c70 -D ./dump
dump password png
flag{w0w_th1s_1s_Th3_SeC0nD_ST4g3_!!}
### Memlab 3
Challenge: https://mega.nz/file/2ohlTAzL#1T5iGzhUWdn88zS1yrDJA06yUouZxC-VstzXFSRuzVg
when i use cmdline i see something suspicious
let dump it out
i ask chatgpt
when i do filescan i see something suspicious
Flag: inctf{0n3_h4lf_1s_n0t_3n0ugh}
### Memlabs 4
challenge: https://mega.nz/file/Tx41jC5K#ifdu9DUair0sHncj5QWImJovfxixcAY-gt72mCXmYrE
python2 volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 cmdline
i see stikynot it probably be malware as i am not good at reverse , i put it back i will take a look next time.
python2 volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 filescan > result.txt
and then i flirter and found someting important example , i flirter png , jpg and txt, etc....
0x000000003fc398d0 16 0 R--rw- \Device\HarddiskVolume2\Users\SlimShady\Desktop\Important.txt
i see important.txt
We canโt extract the file directly
i ask chatgpt
Users\\SlimShady\\Desktop\\Important.txt
python2 volatility/vol.py -f MemoryDump_Lab4.raw --profile=Win7SP1x64 mftparser | grep -C 20 'Users\\SlimShady\\Desktop\\Important.txt'
Flag: {1_is_n0t_EQu4l_7o_2_bUt_th1s_d0s3nt_m4ke_s3ns3}
### Memlab5
Challenge: https://mega.nz/#!Ps5ViIqZ!UQtKmUuKUcqqtt6elP_9OJtnAbpwwMD7lVKN1iWGoec
python2 volatility/vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 cmdline
i see something interesting
python2 volatility/vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan | grep "SW1wb3J0YW50.rar"
python2 volatility/vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000003eed56f0 -D dumps
i dont have password
in order to find password
python2 volatility/vol.py -f MemoryDump_Lab5.raw --profile=Win7SP1x64 filescan | grep "png" > result.txt
it didn't work
i use plugin iehistory
i got first flag
then i use to first flag as password
### Memlabs 6
Challenge: https://mega.nz/file/C0pjUKxI#LnedePAfsJvFgD-Uaa4-f1Tu0kl5bFDzW6Mn2Ng6pnM
python2 volatility/vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 pslist
it has many process related with browser.
i see flag.rar
โโโ(kaliใฟkali)-[~/Desktop]
โโ$ python2 volatility/vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 filescan | grep "flag.rar"
Volatility Foundation Volatility Framework 2.6.1
0x000000005fcfc4b0 16 0 R--rwd \Device\HarddiskVolume2\Users\Jaffa\Desktop\pr0t3ct3d\flag.rar
โ$ python2 volatility/vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 dumpfiles -Q 0x000000005fcfc4b0 -D dumps
i see something interesting env
python2 volatility/vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 envars
i see it is second part
python2 volatility/vol.py -f MemoryDump_Lab6.raw --profile=Win7SP1x64 iehistory > url.txt
i got nothing
i read write up i know how to solve it
https://hackmd.io/-13wwkEpQXyH0QC207Pc8g
i see pastebin url
i see url mega
it require key
The key is zyWxCjCYYSEMA-hZe552qWVXiPwa5TecODbjnsscMIU
i compare two png
Sign in with Wallet
Connect another wallet