# Memory Forensics

## Gathering Memory

There are a handful of different tools which can be used to gather memory. Some of these include:

* winpmem (<https://github.com/Velocidex/WinPmem>)
  * `winpmem_mini_x64.exe physmem.raw`
* procdump (<https://learn.microsoft.com/en-us/sysinternals/downloads/procdump>)
* FTK Imager

### IMPORTANT WHEN GATHERING MEMORY

Always <mark style="color:yellow;">make sure that the OS information is gathered</mark> in conjuction with the image information! This can be achieved on windows machines with the `ver` command. After, we can `grep` for the version information through the `vol.py --info` output.

## Analyzing Memory

Volatility is one of the most common tools to use in memory investigations.

{% embed url="<https://www.varonis.com/blog/how-to-use-volatility>" %}

Keep in mind that the current release of Volatility still uses Python 2, and the newest version of volatility is still in beta.

### Volatility Usage

`./vol.py -f [image file] --profile [profile] [plugin]`

In order to use this effectively, we need to know the profile of the memory image before we can analyze it properly. This is because each separate version of OS, including minor releases, can have drastically different locations in memory where objects are stored.

The following env vars can be set to speed up the usage of Volatility and prevent having to type in the file location and profile info for each run.

* `VOLATILITY_LOCATION`
* `VOLATILITY_PROFILE`

### Common Plugins

| Plugin        | Purpose                                                            |
| ------------- | ------------------------------------------------------------------ |
| `-h [plugin]` | Learn plugin options for individual plugin                         |
| `--info`      | List all available plugins                                         |
| `imageinfo`   | Attempt to determine OS of image (slow)                            |
| `kdbgscan`    | Attempt to determine OS of image (slow)                            |
| `pslist`      | List system processes                                              |
| `pstree`      | List processes in a tree format, showing parents and relationships |
| `psscan`      | Search for potentially hidden processes                            |
| `netscan`     | Search for active and listening sockets                            |
| `userassist`  | Track program usage from GUI                                       |
| `cmdline`     | Identify command line for processes which were running             |
| `printkey`    | Print the output of a registry key                                 |
| `svcscan`     | List services on the system                                        |
| `dlllist`     | List DLLs for each process                                         |

## References

{% embed url="<https://www.varonis.com/blog/how-to-use-volatility>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://notes.m4lwhere.org/defensive/memory-forensics.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.