awesome-memory-forensics

Memory Forensics Tools

A curated list of memory forensics tools and techniques for incident response and digital forensic analysis

A curated list of awesome Memory Forensics for DFIR

GitHub

347 stars
6 watching
48 forks
last commit: about 1 year ago
Linked from 1 awesome list

awesomeawesome-listdigital-forensicsdigital-forensics-incident-responseforensicsincident-responsemalwaremalware-analysismalware-researchmemorymemory-analysis

Awesome Memory Forensics / Tool / Memory Acquisition

Surge Volexity's Surge Collect offers flexible storage options and an intuitive interface that any responder can run to eliminate the issues associated with the corrupt data samples, crashed target computers, and ultimately, unusable data that commonly results from using other tools
MAGNET RAM MAGNET RAM Capture is a free imaging tool designed to capture the physical memory of a suspect's computer, allowing investigators to recover and analyze valuable artifacts that are often only found in memory
FTK Imager FTK® Imager is a data preview and imaging tool that lets you quickly assess electronic evidence to determine if further analysis with a forensic tool such as Forensic Toolkit (FTK®) is warranted
Winpmem 693 4 days ago WinPmem has been the default open source memory acquisition driver for windows for a long time
Ram Capturer Belkasoft Live RAM Capturer is a tiny free forensic tool that allows to reliably extract the entire contents of computer's volatile memory—even if protected by an active anti-debugging or anti-dumping system
LiME 1,725 about 1 month ago A Loadable Kernel Module (LKM) which allows for volatile memory acquisition from Linux and Linux-based devices, such as Android
AVML 875 9 days ago AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary
fmem 115 9 months ago This module creates /dev/fmem device, that can be used for dumping physical memory, without limits of /dev/mem (1MB/1GB, depending on distribution)
FEX Memory Imager FEX Memory Imager (FEX Memory) is a free imaging tool designed to capture the physical Random Access Memory (RAM) of a suspect's running computer. This allows investigators to recover and analyze valuable artifacts found only in memory
MacQuisition
Digital Collector A powerful forensic imaging software solution to perform triage, live data acquisition and targeted data collection for Windows and Mac computers
varc 252 about 2 months ago Volatile Artifact Collector gathers a snapshot of volatile data from a system
PCILeech 5,011 11 days ago PCILeech uses PCIe hardware devices to read and write target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system
EVTXtract 189 over 4 years ago EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images
Volatility3 Inodes Plugin 22 4 months ago The plugin is a pushed verion of the lsof plugin extracting inode metadata information from each files
Volatility3 Prefetch Plugin 22 4 months ago The plugin is scanning, extracting and parsing Windows Prefetch files from Windows XP to Windows 11

Awesome Memory Forensics / Tool / Memory Analysis

Volcano A comprehensive, cross-platform, next- generation memory analysis solution, Volexity Volcano Professional's powerful core extracts, indexes, and correlates artifacts to provide unprecedented visibility into systems' runtime state and trustworthiness
Volatility3 2,693 6 days ago Volatility is the world's most widely used framework for extracting digital artifacts from volatile memory (RAM) samples
MemProcFS 3,115 6 days ago The Memory Process File System (MemProcFS) is an easy and convenient way of viewing physical memory as files in a virtual file system
WinDbg The Windows Debugger (WinDbg) can be used to debug kernel-mode and user-mode code, analyze crash dumps, and examine the CPU registers while the code executes
Volatility 7,343 over 1 year ago The Volatility Framework is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples
Volafox 165 over 8 years ago macOS Memory Analysis Toolkit' is developed on Python 2.x ( )
Rekall 1,924 about 4 years ago A new branch within the Volatility project was created to explore how to make the code base more modular, improve performance, and increase usability. ( )
Redline Redline®, FireEye's premier free endpoint security tool, provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis and the development of a threat assessment profile
Memoryze Mandiant's Memoryze™ is free memory forensic software that helps incident responders find evil in live memory. Memoryze can acquire and/or analyze memory images and on live systems can include the paging file in its analysis
dwarf2json 105 about 1 month ago Go utility that processes files containing symbol and type information to generate Volatilty3 Intermediate Symbol File (ISF) JSON output suitable for Linux and macOS analysis

Awesome Memory Forensics / Books

The Art of Memory Forensics Detecting Malware and Threats in Windows, Linux, and Mac Memory
Practical Memory Forensics Jumpstart effective forensic analysis of volatile memory

Awesome Memory Forensics / Course

Malware and Memory Forensics Training
A Complete Practical Approach To Malware Analysis And Memory Forensics - 2022 Edition

Awesome Memory Forensics / Videos / 13 Cubed

Introduction to Memory Forensics
Windows Memory Analysis
Windows Process Genealogy
Windows Process Genealogy (Update)
Memory Forensics Baselines
Extracting Prefetch from Memory
Detecting Persistence in Memory
Introduction to Redline
Introduction to Redline (Update)
Profiling Network Activity with Volatility 3 - GeoIP from Memory
Volatility Profiles and Windows 10
Dumping Processes with Volatility 3
First Look at Volatility 3 Public Beta
Volatility 3 and WSL 2 - Linux DFIR Tools in Windows?
MemProcFS - This Changes Everything

Awesome Memory Forensics / Videos / DFIR Science

Introduction to Memory Forensics with Volatility 3
Amazon AWS EC2 Forensic Memory Acquisition - LiME
Forensic Memory Acquisition in Linux - LiME
Forensic Memory Acquisition in Windows - FTK Imager
Fast password cracking - Hashcat wordlists from RAM
What is Random Access Memory?
Forensics: What data can you find in RAM?

Awesome Memory Forensics / Videos / Black Hat 2022

New Memory Forensics Techniques to Defeat Device Monitoring Malware

Awesome Memory Forensics / Videos / Black Hat 2019

Investigating Malware Using Memory Forensics - A Practical Approach

Awesome Memory Forensics / Videos / Black Hat 2012

One-byte Modification for Breaking Memory Forensic Analysis

Awesome Memory Forensics / Videos / SANS Digital Forensics and Incident Response

SANS DFIR Webcast - Memory Forensics for Incident Response

Awesome Memory Forensics / Videos / ETC

Memory Forensics with Jupyter Notebooks

Awesome Memory Forensics / Articles / JPCERT

How to Use Volatility 3 Offline
Migrate Volatility Plugins 2 to 3
MalConfScan with Cuckoo: Plugin to Automatically Extract Malware Configuration
Volatility Plugin for Detecting RedLeaves Malware
A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility –
A Volatility Plugin Created for Detecting Malware Used in Targeted Attacks
Volatility Plugin for Detecting Cobalt Strike Beacon

Awesome Memory Forensics / Articles / Blogs

📦 Volatility3 Windows Plugin : Prefetch
📦 Volatility3 Linux Plugin : Inodes
Memory analysis using volatility3 (1) - Windows 11
Memory analysis using volatility3 (2) - Ubuntu Linux
Memory analysis using volatility3 (3) - macOS
Realizing Windows Memory Forensics with Volatility and Gimp

Awesome Memory Forensics / Articles / CheastSheet

Volatility3 CheatSheet

Awesome Memory Forensics / Papers / Digital Investigation

The evidence beyond the wall: Memory forensics in SGX environments

Awesome Memory Forensics / Papers / DFRWS USA 2022

Memory Analysis of .NET and .Net Core Applications
Juicing V8: A Primary Account for the Memory Forensics of the V8 JavaScript Engine

Awesome Memory Forensics / Papers / DFRWS EU 2022

Extraction and analysis of retrievable memory artifacts from Windows Telegram Desktop application
Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic Computing
Memory forensic analysis of a programmable logic controller in industrial control systems

Awesome Memory Forensics / Papers / DFRWS USA 2021

Duck Hunt: Memory Forensics of USB Attack Platforms
Seance: Divination of Tool-Breaking Changes in Forensically Important Binaries
Leveraging Intel DCI for Memory Forensics

Awesome Memory Forensics / Papers / DFRWS EU 2021

One key to rule them all: Recovering the master key from RAM to break Android's file-based encryption

Awesome Memory Forensics / Papers / DFRWS USA 2020

Hiding Process Memory via Anti-Forensic Techniques
Memory Analysis of macOS Page Queues
Memory FORESHADOW: Memory FOREnSics of HArDware cryptOcurrency Wallets – A Tool and Visualization Framework

Awesome Memory Forensics / Papers / DFRWS EU 2020

BMCLeech: Introducing Stealthy Memory Forensics to BMC Tobias Latzo
Tampering Digital Evidence is Hard: The Case of Main Memory Images
On Challenges in Verifying Trusted Executable Files in Memory Forensics

Awesome Memory Forensics / Datasets

NIST
The Art of Memory Forensics
MemLabs 1,659 over 3 years ago
Windows XP

Awesome Memory Forensics / Challenges

2022 Volatility Plugin Contest
2021 Volatility Plugin Contest
2020 Volatility Plugin Contest
2019 Volatility Plugin & Analysis Contests
2018 Volatility Plugin & Analysis Contests
2017 Volatility Plugin Contest
2016 Volatility Plugin Contest
2015 Volatility Plugin Contest
2014 Volatility Plugin Contest
2013 Volatility Plugin Contest
2005 DFRWS Forensic Challenge 1 over 2 years ago

Backlinks from these awesome lists:

More related projects: