Memory Forensics: Analyzing Volatile Evidence with Volatility

Part of the Cybersecurity Skills Guide — This article is one deep-dive in our complete guide series.

By HADESS Team | February 28, 2026 | Updated: February 28, 2026 | 5 min read

Disk forensics tells you what happened on a system. Memory forensics tells you what is happening right now. Malware that never touches disk, injected code running inside legitimate processes, encryption keys in active use — all of this exists only in RAM. If you pull the power cord without capturing memory first, that evidence is gone permanently.

Getting Started with Volatility

Volatility is the standard open-source framework for memory analysis. Volatility 3 simplified the profile system that tripped up many analysts in Volatility 2 — it uses symbol tables and can auto-detect most OS versions without manual profile selection.

Basic workflow: acquire a memory image (using tools like WinPMEM, LiME, or DumpIt), then run Volatility plugins against it. Start with these plugins to get your bearings:

• windows.pslist — lists running processes with PIDs, PPIDs, and start times
• windows.pstree — shows parent-child process relationships
• windows.netscan — extracts network connections and listening ports
• windows.cmdline — shows command-line arguments for each process

The process tree is your first stop. Look for anomalies: cmd.exe spawned by outlook.exe, powershell.exe running under w3wp.exe, or svchost.exe processes with the wrong parent (should always be services.exe).

Process Analysis

After identifying suspicious processes, go deeper. Use windows.dlllist to see loaded DLLs for a specific process. Injected DLLs that do not match the expected module list for that process type are red flags.

windows.malfind scans process memory for signs of injection — it looks for memory regions with execute permissions that contain code but are not backed by a file on disk. This catches classic process injection techniques like process hollowing and reflective DLL injection.

windows.handles shows open handles (files, registry keys, mutexes) for a process. Malware often creates named mutexes to prevent multiple instances from running. These mutex names become useful IOCs.

Detecting Malware in Memory

Fileless malware and in-memory-only payloads are increasingly common. A PowerShell Empire agent, a Cobalt Strike beacon, or a Meterpreter session might leave zero artifacts on disk while maintaining full control of the system.

Use windows.vadinfo to examine Virtual Address Descriptors and identify suspicious memory allocations. Memory regions marked as PAGE_EXECUTE_READWRITE that are not associated with known modules deserve scrutiny.

For known malware families, windows.yarascan runs YARA rules against process memory. Maintain a current rule set from sources like the YARA-Rules repository and your own custom signatures.

Extract suspicious executables from memory using windows.dumpfiles or windows.procdump for offline analysis in a sandbox.

Rootkit Detection

Kernel-mode rootkits modify OS structures to hide processes, files, or network connections. Volatility detects these through cross-referencing.

windows.pslist walks the EPROCESS linked list (what the OS sees). windows.psscan scans all of memory for process structures regardless of whether they are in the list. Processes that appear in psscan but not pslist are either terminated or actively hidden by a rootkit.

Similarly, compare windows.modules (linked list of loaded drivers) with windows.modscan (brute-force scan for driver structures). Hidden drivers indicate kernel-level compromise.

windows.ssdt checks the System Service Descriptor Table for hooks — legitimate entries point into ntoskrnl.exe or win32k.sys. Entries pointing elsewhere indicate SSDT hooking.

Next Steps

• Gauge your current forensics level with the skills assessment
• Explore detection and analysis topics in the skills library
• Use the coaching tool to build a memory forensics practice plan with hands-on labs

Related Guides in This Series

• CSIRT and PSIRT Operations: Building Effective Response Teams — HADESS | 2026
• Incident Response Methodology: From Detection to Recovery — HADESS | 2026
• Linux Forensics: Artifacts, Logs, and Investigation Techniques — HADESS | 2026

Take the Next Step

Browse 80+ skills on HADESS. Go to the browse 80+ skills on hadess on HADESS.

See your certification roadmap. Check out the see your certification roadmap.

Get started free — Create your HADESS account and access all career tools.

Frequently Asked Questions

How long does it take to learn this skill?

Most practitioners build working proficiency in 4-8 weeks of dedicated study with hands-on practice. Mastery takes longer and comes primarily through on-the-job experience.

Do I need certifications for this skill?

Certifications validate your knowledge to employers but are not strictly required. Hands-on experience and portfolio projects often carry more weight in technical interviews. Check the certification roadmap for relevant options.

What career paths use this skill?

Explore the career path explorer to see which roles require this skill and how it fits into different cybersecurity specializations.

—

HADESS Team consists of cybersecurity practitioners, hiring managers, and career strategists who have collectively spent 50+ years in the field.