Affiliate disclosure
Book titles on this page link to Amazon. As an Amazon Associate, DataField.Dev earns from qualifying purchases โ at no additional cost to you.
Chapter 22 โ Further Reading
Memory forensics has one canonical book, one canonical tool, and a deep bench of free, high-quality practice material. Start with the book to build the model, then live in the tool against real images โ this is a discipline you cannot learn by reading alone.
Foundations (๐ฌ deeper / structure-level)
- "The Art of Memory Forensics" โ Ligh, Case, Levy & Walters (Wiley). The definitive text and the backbone of this chapter: Windows, Linux, and Mac internals, every Volatility plugin, and the structural reasoning (
_EPROCESS, pool tags, the PEB lists) behind why the techniques work. If you own one DFIR book beyond the basics, own this. - The Volatility 3 documentation and source (volatilityfoundation.org, GitHub
volatilityfoundation/volatility3). The authoritative plugin reference and the symbol-table (ISF) workflow. Read how Windows symbols are fetched automatically and how you build a Linux ISF withdwarf2jsonโ the difference decides whether an image is analyzable. - RFC 3227, "Guidelines for Evidence Collection and Archiving" (Brezinski & Killalea, IETF). Short and free; the citation for the order of volatility that makes "capture before power-off" a standard, not an opinion.
Approachable explanations (everyone)
- 13Cubed (Richard Davis), YouTube โ the memory-forensics episodes. Free, rigorous, visual walk-throughs of acquisition and Volatility 3 on real images. The fastest way to see
pslist/psscan/malfind/ldrmodulesactually run. - "Investigating Windows Memory" / SANS FOR508 posters and blog. One-page maps of the plugin workflow and the injection signatures; tape one beside your keyboard.
- The DFIR Report (thedfirreport.com). Detailed, free write-ups of real intrusions โ beaconing, fileless implants, process hollowing โ that show why command line, parentage, and live network state are the artifacts that matter.
In practice (๐พ Recovery ยท ๐ Examiner ยท ๐ก๏ธ IR ยท ๐ Legal)
- ๐ก๏ธ๐ Volatility, MemProcFS, and bulk_extractor (all free/open-source). Volatility for structured analysis; MemProcFS to mount a memory image as a browsable file system for fast triage; bulk_extractor/aeskeyfind to sweep for emails, URLs, and AES key schedules. Run all three against one image to feel their complementary strengths.
- ๐ WinPmem, AVML (Microsoft), LiME (504ensicsLabs), DumpIt (Magnet) โ GitHub. The free imagers named in the chapter. Read each README and note how it describes its own footprint โ you will be asked about it.
- ๐พ The "encryption key from RAM" workflow (aeskeyfind / bulk_extractor โ FVEK). For the recovery technician, the single most dramatic save in this chapter: a mounted, encrypted volume becomes readable from a live capture. Practice it on a test BitLocker/VeraCrypt VM.
- ๐ The Fifth-Amendment "seized key vs. compelled passphrase" literature. For the legal reader, the doctrine that makes live capture of an unlocked device so consequential โ pair it with Chapter 25.
Reference (this book)
- Appendix C โ Tool Reference: Volatility 2/3 plugin syntax, acquisition-tool options, MemProcFS, bulk_extractor.
- Appendix F โ Chain-of-Custody and Report Templates: the capture log every acquisition needs.
- Appendix J โ Practice Images and Lab Setup: where to get memory images to practice on.
- Chapter 15 โ Live Response and Triage (the capture decision) and Chapter 29 โ Encrypted Device Forensics (key recovery), the chapters on either side of this one's core skills.
Do, don't just read
- Capture your own RAM, twice, and diff the hashes. Five minutes with WinPmem or AVML makes page smear real in your hands โ you will never be rattled by the "is it atomic?" question under cross-examination.
- Work a public memory image end to end. Pull a practice image (Appendix J), run the full triage pass, diff
pslistagainstpsscan, find the injected region withmalfind, and dump and hash the payload. You do not understand hollowing until you have watched the in-memory image fail to match the on-disk binary with your own eyes. - Recover a key from a live capture. Stand up a BitLocker or VeraCrypt test VM, capture its RAM while the volume is mounted, and pull the AES key with
aeskeyfind. Feeling the "unrecoverable" volume open is the lesson of Case Study 2 learned the right way around.
Next: Chapter 23 โ Network Forensics: follow the beacon you found in memory out onto the wire โ packet captures, flow records, protocol analysis, and proving not just what ran on a host, but what it said to the world.