π§ Mastering Memory Forensics with Volatility 3: Complete TryHackMe Room Walkthrough
Volatility Essentials | TryHackMe Walkthrough π
Memory forensics is not just a technical exerciseβitβs a modern-day duel with cyber adversaries that hide in your systemβs memory like outlaws in the wild west. This blog post walks you through the Volatility Essentials room on TryHackMe, a gamified and practical entry into memory forensics with Volatility 3.
Perfect for blue teamers, SOC analysts, and reverse engineers, this guide will cover:
Advertisement
- What Volatility is and how it works
- How to analyze memory dumps
- Real-world scenarios involving malware and ransomware
- Automating your workflow with Bash
Letβs saddle up, gunslinger. π€
π§° Task 2: What is Volatility?
Volatility 3 is the modern, Python-based memory forensics framework that enables analysts to extract forensic artifacts from memory dumps.
π Key Features:
- Cross-platform (Linux, Windows, macOS)
- Plugin-driven (Modular analysis)
- Uses dynamic symbol resolution (no more static profiles)
π§ Installation:
# Clone the repo
$ git clone https://github.com/volatilityfoundation/volatility3.git
$ cd volatility3
# Run Volatility
$ python3 vol.py -hπΎ Task 3: Memory Acquisition & Initial Analysis
Acquiring memory is your first step before any analysis. Here's a quick overview of tools:
Advertisement
πͺ Windows: DumpIt, WinPmem, Magnet RAM Capture
π§ Linux: AVML, LiME
π macOS: OSXPmem
Advertisement
π§ͺ Case 001 Overview:
Youβre handed a memory dump from a compromised host infected with a banking trojan. Time to get dirty.
π Step 1: Identify OS Details
python3 vol.py -f Investigation-1.vmem windows.info𧾠Findings:
- Build Version:
2600.xpsp.080413-2111 - Acquisition Time:
2012-07-22 02:45:08
𧡠Task 4: Listing Processes & Connections
𧬠Active Processes
python3 vol.py -f Investigation-1.vmem windows.pslistπ΅οΈ Hidden Processes (Rootkit Detection)
python3 vol.py -f Investigation-1.vmem windows.psscanπ² Process Tree
python3 vol.py -f Investigation-1.vmem windows.pstreeπ Handles and Files
python3 vol.py -f Investigation-1.vmem windows.handlesπ Network Connections
python3 vol.py -f Investigation-1.vmem windows.netstatπ§ DLLs Loaded by Processes
python3 vol.py -f Investigation-1.vmem windows.dlllistπ Quick Answers:
- Adobe Process Path:
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe - Parent Process:
explorer.exe - Parent PID:
1484 - DLLs outside system32:
3 - KeyedEvent:
CritSecOutOfMemoryEvent
𧨠Task 5: Hunting Injected Code
π« Detect Injected Shellcode / Binaries
python3 vol.py -f Investigation-1.vmem windows.malfind𧱠Analyze Memory Regions
python3 vol.py -f Investigation-1.vmem windows.vadinfo𧾠Key Findings:
- Processes with MZ headers (executable):
explorer.exe,reader_sl.exe
π§Ώ Task 6: Advanced Rootkit Detection
βοΈ SSDT Hooking
python3 vol.py -f Investigation-1.vmem windows.ssdt- Answer:
0x8056e27c
πͺ Kernel Modules
python3 vol.py -f Investigation-1.vmem windows.modulesπ¦ Driver Scanning (DKOM/rootkit detection)
python3 vol.py -f Investigation-1.vmem windows.driverscanπ§βπ» Task 7: Practical Investigation β Case 002 (Ransomware)
Your org got hit with ransomware. Now itβs time to dissect that memory image.
π Key Findings:
- Suspicious Process @ PID 740:
@WanaDecryptor@ - Binary Path:
C:\Intel\ivecuqmanpnirkt615\@WanaDecryptor@.exe- Parent Process:
tasksche.exe - Malware Identified:
WannaCry - Plugin for File Scan:
windows.filescan
βοΈ Automate It: Bash Script for Memory Analysis
π Script: investigate_case002.sh
#!/bin/bash
MEM_FILE="~/Desktop/Investigations/Investigation-2.raw"
OUT_DIR="~/Desktop/Investigations/Case002_Results"
echo "[*] Starting forensic sweep on $MEM_FILE..."
mkdir -p $OUT_DIR
python3 vol.py -f $MEM_FILE windows.psscan > $OUT_DIR/psscan.txt
python3 vol.py -f $MEM_FILE windows.dlllist --pid 740 > $OUT_DIR/dlllist.txt
python3 vol.py -f $MEM_FILE windows.pstree > $OUT_DIR/pstree.txt
python3 vol.py -f $MEM_FILE windows.malfind > $OUT_DIR/malfind.txt
python3 vol.py -f $MEM_FILE windows.ssdt > $OUT_DIR/ssdt.txt
python3 vol.py -f $MEM_FILE windows.modules > $OUT_DIR/modules.txt
python3 vol.py -f $MEM_FILE windows.driverscan > $OUT_DIR/driverscan.txt
python3 vol.py -f $MEM_FILE -h > $OUT_DIR/help.txt
echo "[β] Investigation complete. Results saved in: $OUT_DIR"
echo "[!] Tip: grep '740' across these files to extract specific data faster."π Usage:
chmod +x investigate_case002.sh
./investigate_case002.shThis script supercharges your investigation by:
Advertisement
- Automating all necessary plugin calls
- Saving outputs into organized files
- Supporting faster grep/search workflows
π§ Task 8: Final Thoughts
This TryHackMe room barely scratches the surface of whatβs possible with Volatility. But it equips you with:
- Real-world workflows
- Malware hunting techniques
- Rootkit and kernel artifact analysis
- Automation best practices
π Recommended Reading:
- The Art of Memory Forensics by Ligh, Case, Levy, and Walters
π Bonus Plugins to Explore:
windows.callbackswindows.modscanwindows.driverirpwindows.moddumpwindows.memmapyarascan
Advertisement
![Roundcube RCE Vulnerability Explained [CVE-2025-49113] - TryHackMe Walkthrough](/_next/image?url=https%3A%2F%2Fc31ugca21tq8xtx5.public.blob.vercel-storage.com%2FPosts%2Froundcube-Dh1BChTvtXmws7bqTPo0g1xtuGH1vY.webp%3Fheight%3D600%26width%3D1200&w=1080&q=75)
