Memory Forensics — Defencia

→

What is memory forensics?

Looking for artifacts in memory — not always easy, but valuable. Useful artifacts include password hashes, network cache, the process list (proof of execution), command history, DLL lists and network connections (netscan).

→

Volatility 3

<div class="callout tip">There is a downloadable Volatility 3 cheat-sheet on the presentations page. Plugin families exist for Windows, Linux (linux.pslist, linux.bash, linux.malfind…) and Mac (mac.pslist, mac.netstat…).</div>

Volatility 3 uses OS-based plugins instead of the version-specific profiles of 2.x — it works across a wider range of dumps and is a bit faster. Clone it and run with Python 3 (note: REMnux does not ship Volatility 3 by default).

git clone https://github.com/volatilityfoundation/volatility3
python3 vol.py -h        # list functions
python3 vol.py -f dump.mem windows.pslist > pslist.txt

Pipe output to a file, then grep it later — easier searching and you keep the output.

→

Worked case — pull a password

Secure a memory dump with FTK Imager (or suspend a VM and take the .vmem). Then run the hashdump plugin to recover a machine hash.

vol.py -f KeepassMemdump.mem windows.hashdump.Hashdump
# output: 43239E3A0AF748020D5B426A4977D7E5

Example: extracting a stored hash from a Windows memory image.

→

KeePass vulnerability example

An example of validating a real KeePass 2.5.3 vulnerability with keepass-password-dumper: install KeePass 2.5.3, create a vault, dump the process via Task Manager, install .NET 7 and run the dumper.

dotnet run C:\Path\To\Dump\KeePass.DMP

The recovered master password is largely reconstructed — only the first character is missing.

This sensitive topic is shown to illustrate why patching and memory hygiene matter — not to enable misuse.