Goal
Use Volatility 3 to hunt malware and suspicious activity in memory dumps.When to use
- When you have a memory capture from a suspicious host
- When you need deeper insight than disk/EDR telemetry provides
Prereqs
- Memory dump acquired and stored securely
- Volatility 3 available in your analysis environment
Procedure (high level)
- Identify profile/context and validate the dump
- Enumerate processes and suspicious artifacts
- Pivot into network, modules, command lines, and persistence indicators
- Document findings and feed back into detections
Validation
- Findings are reproducible and mapped to concrete evidence