RSS Feed

Memory Forensics in Incident Response and Thread Hunting 🗓

Created: 18.11.2020


Below is the skeleton from SAN508 course description. I am using it to make up my study plan. For each step of this plan I estimate my current level of training and I am also collecting resourced for this topic under Resources.

🫑 - level 0. I know nothing and not even where to start. I might have some embarrassingly fundamental knowledge which is not good enough even for the start.

🥒 - level 1. I know something about the subject, but this only gives me an approximate plan and kind of things to look for.

🥗 - level 2. I know something about the subject, I’ve even read something about it. But no hands-on eperience.

🌮 - level 3. I know quite a lot about the subject, I’ve read something about it and some hands-on eperience.

🥘 - level 4. I know a lot about the subject and quite a decent experience. This one I will only use when I am done preparing and have the first mock exam. Bonus - 🍭 real-life expreience (not just labs).

🗒- Topic specific plan. 👌-done, 🚧 - in progress

🗂 - references and resources.

🎯- objectives.

🏺- artifacts

🛠 - tools to learn/use.


  • Remote endpoint incident response, hunting, and analysis using F-Response Enterprise

  • Remote endpoint memory examination using F-Response Enterprise

  • Creating local and remote triage images with KAPE

  • Scaling investigations with Velociraptor

  • Detect unknown live and dormant custom malware in memory across multiple systems in an enterprise environment

  • Examine Windows process trees to identify normal versus anomalies

  • Find APT “beacon” malware over common ports used by targeted attackers to access command and control (C2) channels

  • Find residual attacker command-line activity through scanning strings in memory and by extracting command history buffers

  • Compare compromised system memory against a baseline system using Frequency of Least Occurrence stacking techniques

  • Identify advanced malware hiding techniques, including code injection and rootkits

  • Employing indicators of compromise to automate analysis

  • Analysis of memory from infected systems:

    • Stuxnet
    • TDL3/ TDSS
    • Cozyduke APT29 RAT
    • Rundll32
    • Zeus/Zbot
    • Conficker
    • StormWorm Rootkit
    • Black Energy Rootkit
    • WMI and PowerShell
    • Cobalt Strike Beacons and Powerpick
    • Metasploit
    • Custom APT command and control malware


Memory forensics has come a long way in just a few years. It is now a critical component of many advanced tool suites and the mainstay of successful incident response and threat hunting teams. Memory forensics can be extraordinarily effective at finding evidence of worms, rootkits, PowerShell, and advanced malware used by targeted attackers. In fact, some fileless attacks may be nearly impossible to unravel without memory analysis. Memory analysis was traditionally the domain of Windows internals experts and reverse engineers, but new tools, techniques, and detection heuristics have greatly leveled the playing field making it accessible today to all investigators, incident responders, and threat hunters. Further, understanding attack patterns in memory is a core analyst skill applicable across a wide range of endpoint detection and response (EDR) products, making those tools even more effective. This extremely popular section will cover many of the most powerful memory analysis capabilities available and give you a solid foundation of advanced memory forensic skills to super-charge investigations, regardless of the toolset employed.

Remote and Enterprise Incident Response

  • Remote Endpoint Access in the Enterprise
  • Remote Endpoint Host-based Analysis
  • Scalable Host-based Analysis (one analyst examining 1,000 systems) and Data Stacking
  • Remote Memory Analysis

Triage and Endpoint Detection and Response (EDR)

  • Endpoint Triage Collection
  • EDR Capabilities and Challenges
  • EDR and Memory Forensics

Memory Acquisition

  • Acquisition of System Memory from both Windows 32/64-bit Systems
  • Hibernation and Pagefile Memory Extraction and Conversion
  • Virtual Machine Memory Acquisition
  • Memory changes in Windows 10
  • Windows 10 Virtual Secure Mode

Memory Forensics Analysis Process for Response and Hunting

  • Understanding Common Windows Services and Processes
  • Identify Rogue Processes
  • Analyze Process DLLs and Handles
  • Review Network Artifacts
  • Look for Evidence of Code Injection
  • Check for Signs of a Rootkit
  • Acquire Suspicious Processes and Drivers

Memory Forensics Examinations

  • Live Memory Forensics
  • Advanced Memory Analysis with Volatility
  • Webshell Detection Via Process Tree Analysis
  • Code Injection, Malware, and Rootkit Hunting in Memory
  • WMI and PowerShell Processes
  • Extract Memory-Resident Adversary Command Lines
  • Investigate Windows Services
  • Hunting Malware Using Comparison Baseline Systems
  • Find and Dump Cached Files from RAM

Memory Analysis Tools

  • Volatility
  • F-Response
  • Velociraptor
  • Comae Windows Memory Toolkit


[1] About some APT groups

[2] Practical Malware Analysis book