Memory Forensics Mastery: How Aegistra’s DFIR Team Cracked a Virtual Machine Memory Dump with Volatility + Video

Listen to this Post

Featured Image

Introduction:

Memory forensics is the art of capturing and analyzing volatile data residing in a system’s RAM, which often contains invaluable evidence of ongoing attacks, malware injection, and process manipulation. Using the Volatility Framework (versions 2.6 and 3), DFIR analysts can reconstruct a system’s state at the time of memory acquisition — including running processes, network connections, and even hidden malicious code. In this article, we walk through a real-world memory analysis challenge issued to a SOC team, where they successfully identified OS version, virtual environment artifacts, process anomalies, and user activity from a single memory dump.

Learning Objectives:

  • Identify the operating system version and architecture from a memory image using Volatility.
  • Differentiate between physical and virtual machines by detecting hypervisor-specific processes (e.g., VBoxService.exe).
  • Detect hidden or unlinked processes and suspicious memory regions using plugins like psscan, malfind, and netscan.

You Should Know:

  1. Capturing Memory Dumps from Host and Virtual Machines
    Memory acquisition is the critical first step. In the challenge, analysts captured two copies: one from the physical host and one from a virtual machine (VM). For Windows systems, common tools include:

– FTK Imager (GUI): `File → Capture Memory → Select destination`
– DumpIt or WinPmem (command‑line)
– LiME for Linux (Loadable Kernel Module)

For a VirtualBox VM: Pause the VM and use `VBoxManage debugvm “VM Name” dumpguestcore –filename memory.dump` or take a snapshot and extract the saved state.

Step‑by‑step using FTK Imager (Windows):

1. Run FTK Imager as Administrator.

2. Click `File` → `Capture Memory`.

3. Set destination path and filename (e.g., `memory.raw`).

4. Optionally include pagefile; click `Capture`.

5. After completion, verify the hash for integrity.

Linux command (using LiME):

sudo insmod lime.ko "path=./memdump.raw format=raw"
sudo rmmod lime

2. Identifying OS Version and Architecture with Volatility

Before any analysis, determine the correct profile (Volatility 2) or use Volatility 3’s auto‑detection. The challenge revealed `Win10x64_19041` – a Windows 10 64‑bit build 19041.

Volatility 2 commands:

 List available profiles
vol.py -f memory.raw imageinfo
 Use suggested profile
vol.py -f memory.raw --profile=Win10x64_19041 pslist

Volatility 3 (no profiles needed):

vol -f memory.raw windows.info

This output includes kernel base, DTB, and OS version. Always verify against known builds – the reported `2026-05-10 20:06:17 UTC+00:00` matches the dump capture time found in windows.info.

3. Determining Physical vs. Virtual Environment

Forensic analysts can distinguish a VM by looking for hypervisor processes, drivers, or MAC addresses. In the challenge, `VBoxService.exe` (VirtualBox Guest Additions) was present, proving a virtual machine.

Step‑by‑step VM detection:

1. List all processes:

 Volatility 2
vol.py -f memory.raw --profile=Win10x64_19041 pslist
 Volatility 3
vol -f memory.raw windows.pslist

2. Search for known VM artifacts:

`VBoxService.exe`, `VBoxTray.exe` (VirtualBox)

`vmtoolsd.exe` (VMware)

`xenserver.exe` (Xen)

3. Check network adapter MAC prefixes:

vol -f memory.raw windows.netscan | grep -i "08:00:27"  VirtualBox
vol -f memory.raw windows.netscan | grep -i "00:50:56"  VMware

4. Examine registry (Volatility 2 `hivelist` + printkey) for `HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion` containing “VirtualBox”.

  1. Process Analysis: pslist vs. psscan – Detecting Hidden Processes
    The challenge compared `pslist` (walking the active process list) with `psscan` (scanning memory for EPROCESS structures). Differences reveal hidden or terminated processes.

Command examples:

 Active processes
vol -f memory.raw windows.pslist > pslist.txt
 Scanned processes (includes terminated/unlinked)
vol -f memory.raw windows.psscan > psscan.txt

What the red/yellow highlights mean:

  • Red entries appear in `psscan` but not in `pslist` → either terminated processes (normal) or hidden processes (malicious rootkit).
  • Yellow indicates unordered timestamps in `psscan` because it scans memory blocks without respecting execution order.

In this case, no hidden processes were found – a sign of a clean but well‑configured system. To double‑check, use `malfind` for injected code:

vol -f memory.raw windows.malfind

No output (or only legitimate VAD regions) confirms absence of process injection.

5. Investigating Suspicious Parent‑Child Relationships and Command History

The challenge found no `cmd.exe` or `powershell.exe` processes, nor any command history. This is unusual for a live system but possible if the capture occurred during idle time. Analysts should still extract command history using:

For PowerShell:

 Volatility 3
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.powershell_pshistory

For CMD:

 Search console history buffers
vol -f memory.raw windows.consoles

Step‑by‑step to verify no malicious parent‑child relationships:

1. List process tree:

vol -f memory.raw windows.pstree

2. Look for anomalous spawning (e.g., `winword.exe` spawning cmd.exe).
3. The challenge reported `explorer.exe` (PID 5480) spawning only `VBoxTray.exe` and `SecurityHealth.exe` – both legitimate.

4. Use `netscan` to verify no C2 callbacks:

vol -f memory.raw windows.netscan

No external suspicious connections = no active beaconing.

6. Recovering User Activity: Browsers, Office, and Tools

Even without command shells, user activity leaves traces. The challenge identified:
– Microsoft Edge → browsing history in `webhist` plugin (Volatility 2)
– OneDrive.exe → cloud synchronization
– Skype.exe → communication
– FTK Imager.exe → forensic tool usage

Extracting browser history (Volatility 2):

vol.py -f memory.raw --profile=Win10x64_19041 iehistory
vol.py -f memory.raw --profile=Win10x64_19041 chromehistory

For Edge/Chrome on Windows, artifacts also live in %LocalAppData%\Microsoft\Edge\User Data. Using `filescan` + `dumpfiles` can extract these files from memory:

vol -f memory.raw windows.filescan | grep -i "history"
vol -f memory.raw windows.dumpfiles --virtaddr

<

address>
  1. Step‑by‑Step Memory Analysis Workflow (Based on the Challenge)

1. Verify memory dump integrity – compute SHA256.

  1. Determine OS & architecture – `windows.info` or imageinfo.
  2. Capture capture time – from `windows.info` or system timestamps.
  3. Detect VM – processes (VBoxService), MAC addresses, registry.
  4. List processes – pslist, pstree. Identify oldest/newest using `CreateTime` (e.g., pslist -t).
  5. Scan for hidden processes – `psscan` compare to pslist.

7. Check for code injection – `malfind`, `ldrmodules`.

8. Enumerate network connections – `netscan`.

  1. Recover command line & history – cmdline, consoles, powershell_pshistory.
  2. Extract user activity – iehistory, `filescan` for Office/PDFs.

11. Generate timeline – combine `timeliner` plugin.

Example command to combine all for a report:

vol -f memory.raw windows.timeliner > timeline.csv

What Undercode Say:

  • Key Takeaway 1: Comparing `pslist` and `psscan` is essential – any discrepancy (red entries) demands deeper investigation, but always consider terminated processes as benign first.
  • Key Takeaway 2: Virtual environment detection is often overlooked; hypervisor processes like `VBoxService.exe` are straightforward indicators that change the threat model (guest vs. host compromise).

Analysis: This exercise demonstrates that methodical memory forensics – even without obvious malware – builds a baseline for “normal” behavior. The team’s ability to rule out C2, hidden processes, and command execution shows strong DFIR discipline. However, the absence of PowerShell or CMD activity in a Windows VM might indicate either a very clean image or the attacker cleaning logs before memory capture. Future iterations should include `amcache` or `shimcache` analysis to identify executed programs that exited before the dump. The use of both Volatility 2 and 3 highlights the need for tool redundancy – some plugins (like psscan) behave slightly differently across versions.

Prediction:

Memory forensics will increasingly integrate AI‑driven anomaly detection to automatically flag hidden processes and injected code across thousands of endpoints. As cloud workloads and containerized environments (e.g., AWS Nitro, Docker) adopt memory encryption, tools like Volatility will evolve to acquire and parse encrypted memory regions. Within the next two years, we expect SOC teams to leverage real‑time memory analysis as an EDR supplement – not just after an incident, but continuously, using minimal‑overhead memory sampling to detect fileless malware before it executes. The challenge’s success proves that hands‑on memory drills remain irreplaceable for training next‑generation DFIR analysts.

▶️ Related Video (78% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Ahmed El – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky