🧠 Mastering Memory Forensics with Volatility 3: Complete TryHackMe Room Walkthrough

Volatility Essentials | TryHackMe Walkthrough 🚀

Memory forensics is not just a technical exercise—it’s a modern-day duel with cyber adversaries that hide in your system’s memory like outlaws in the wild west. This blog post walks you through the Volatility Essentials room on TryHackMe, a gamified and practical entry into memory forensics with Volatility 3.

Perfect for blue teamers, SOC analysts, and reverse engineers, this guide will cover:

• What Volatility is and how it works
• How to analyze memory dumps
• Real-world scenarios involving malware and ransomware
• Automating your workflow with Bash

Let’s saddle up, gunslinger. 🤠

🧰 Task 2: What is Volatility?

Volatility 3 is the modern, Python-based memory forensics framework that enables analysts to extract forensic artifacts from memory dumps.

🔍 Key Features:

• Cross-platform (Linux, Windows, macOS)
• Plugin-driven (Modular analysis)
• Uses dynamic symbol resolution (no more static profiles)

🔧 Installation:

# Clone the repo
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3
 
# Run Volatility
$ python3 vol.py -h

💾 Task 3: Memory Acquisition & Initial Analysis

Acquiring memory is your first step before any analysis. Here's a quick overview of tools:

🪟 Windows: DumpIt, WinPmem, Magnet RAM Capture

🐧 Linux: AVML, LiME

🍎 macOS: OSXPmem

🧪 Case 001 Overview:

You’re handed a memory dump from a compromised host infected with a banking trojan. Time to get dirty.

🔎 Step 1: Identify OS Details

python3 vol.py -f Investigation-1.vmem windows.info

🧾 Findings:

• Build Version: 2600.xpsp.080413-2111
• Acquisition Time: 2012-07-22 02:45:08

🧵 Task 4: Listing Processes & Connections

🧬 Active Processes

python3 vol.py -f Investigation-1.vmem windows.pslist

🕵️ Hidden Processes (Rootkit Detection)

python3 vol.py -f Investigation-1.vmem windows.psscan

🌲 Process Tree

python3 vol.py -f Investigation-1.vmem windows.pstree

🔍 Handles and Files

python3 vol.py -f Investigation-1.vmem windows.handles

🌐 Network Connections

python3 vol.py -f Investigation-1.vmem windows.netstat

🧠 DLLs Loaded by Processes

python3 vol.py -f Investigation-1.vmem windows.dlllist

📍 Quick Answers:

• Adobe Process Path: C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
• Parent Process: explorer.exe
• Parent PID: 1484
• DLLs outside system32: 3
• KeyedEvent: CritSecOutOfMemoryEvent

🧨 Task 5: Hunting Injected Code

🔫 Detect Injected Shellcode / Binaries

python3 vol.py -f Investigation-1.vmem windows.malfind

🧱 Analyze Memory Regions

python3 vol.py -f Investigation-1.vmem windows.vadinfo

🧾 Key Findings:

• Processes with MZ headers (executable): explorer.exe, reader_sl.exe

🧿 Task 6: Advanced Rootkit Detection

⚔️ SSDT Hooking

python3 vol.py -f Investigation-1.vmem windows.ssdt

• Answer: 0x8056e27c

🪛 Kernel Modules

python3 vol.py -f Investigation-1.vmem windows.modules

🦠 Driver Scanning (DKOM/rootkit detection)

python3 vol.py -f Investigation-1.vmem windows.driverscan

🧑‍💻 Task 7: Practical Investigation – Case 002 (Ransomware)

Your org got hit with ransomware. Now it’s time to dissect that memory image.

🔍 Key Findings:

• Suspicious Process @ PID 740: @WanaDecryptor@
• Binary Path: C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe
• Parent Process: tasksche.exe
• Malware Identified: WannaCry
• Plugin for File Scan: windows.filescan

⚙️ Automate It: Bash Script for Memory Analysis

📜 Script: investigate_case002.sh

#!/bin/bash
 
MEM_FILE="~/Desktop/Investigations/Investigation-2.raw"
OUT_DIR="~/Desktop/Investigations/Case002_Results"
 
echo "[*] Starting forensic sweep on $MEM_FILE..."
 
mkdir -p $OUT_DIR
 
python3 vol.py -f $MEM_FILE windows.psscan > $OUT_DIR/psscan.txt
python3 vol.py -f $MEM_FILE windows.dlllist --pid 740 > $OUT_DIR/dlllist.txt
python3 vol.py -f $MEM_FILE windows.pstree > $OUT_DIR/pstree.txt
python3 vol.py -f $MEM_FILE windows.malfind > $OUT_DIR/malfind.txt
python3 vol.py -f $MEM_FILE windows.ssdt > $OUT_DIR/ssdt.txt
python3 vol.py -f $MEM_FILE windows.modules > $OUT_DIR/modules.txt
python3 vol.py -f $MEM_FILE windows.driverscan > $OUT_DIR/driverscan.txt
python3 vol.py -f $MEM_FILE -h > $OUT_DIR/help.txt
 
echo "[✓] Investigation complete. Results saved in: $OUT_DIR"
echo "[!] Tip: grep '740' across these files to extract specific data faster."

🚀 Usage:

chmod +x investigate_case002.sh
./investigate_case002.sh

This script supercharges your investigation by:

• Automating all necessary plugin calls
• Saving outputs into organized files
• Supporting faster grep/search workflows

🧠 Task 8: Final Thoughts

This TryHackMe room barely scratches the surface of what’s possible with Volatility. But it equips you with:

• Real-world workflows
• Malware hunting techniques
• Rootkit and kernel artifact analysis
• Automation best practices

📚 Recommended Reading:

• The Art of Memory Forensics by Ligh, Case, Levy, and Walters

🔌 Bonus Plugins to Explore:

• windows.callbacks
• windows.modscan
• windows.driverirp
• windows.moddump
• windows.memmap
• yarascan