Section 3: Memory Forensics

Why is memory forensics essential?

It recovers volatile evidence that never touches the disk, such as injected code, decrypted data, network connections, and credentials.

What is a key sign of code injection to look for in memory?

A memory section with Execute-Read-Write (RWX) permissions that is not backed by a legitimate file on disk.

What is process hollowing?

Starting a legitimate process in a suspended state and replacing its memory with malicious code before resuming it.

What is a rootkit?

Malware designed to hide its presence and maintain control by subverting core OS functions at a low level.

What is DKOM (Direct Kernel Object Manipulation)?

A rootkit technique that hides artifacts (like processes) by unlinking them from the kernel's internal lists.

What is the difference between pslist and psscan in Volatility?

pslist reads the standard linked list of processes; psscan searches memory byte-by-byte for unlinked/hidden process structures.

What Volatility plugin is best for finding hidden processes using cross-view analysis?

psxview.

What does the Volatility 'malfind' plugin do?

It scans for signs of code injection by finding suspicious memory regions, such as those with RWX permissions.

What is hiberfil.sys?

A hibernation file that can contain compressed RAM data, serving as an alternative source for memory forensics.

Why must memory be captured from a running system?

Because RAM contents are volatile and disappear entirely upon shutdown.