Memory Forensics Landscape and Lab Setup

What this course is

This is a practical memory forensics course built on a unique pedagogy: attack, capture, analyse. You run scripted attacks from a Kali VM against Windows and Linux targets, capture memory before and after each attack, and analyse your own attack's evidence using Volatility 3 and MemProcFS. Ten modules take you from first principles through kernel-level compromise and a full attack-chain capstone investigation.

Memory is the evidence source that wins against attackers who treat disk as enemy territory. Reflective DLL loading, in-memory credential theft, living-off-the-land execution, kernel rootkits that never touch the filesystem — every one of these techniques produces investigations where the disk contains nothing and the memory contains everything. The practitioner who treats memory forensics as a specialist subdiscipline for unusual cases investigates only the cases where attackers cooperated by writing to disk. The practitioner who treats memory acquisition and analysis as operational baseline investigates the full threat landscape.

The attack-capture-analyse model means you understand both sides. You run the attack, so you know exactly what should be in memory. You capture, so you understand acquisition mechanics and evidence integrity. You analyse, so you build the pattern recognition to find the same artifacts when you don't know what the attacker did. By the end of the course, you've personally executed every major memory-resident attack category and proven you can find the evidence afterward.

This is a Specialist-tier course — the deepest forensic course on the platform. It expects you to have investigated incidents before. It goes beyond tool proficiency into memory structure analysis: page table walks, VAD tree interpretation, kernel object enumeration, and rootkit detection at the structural level.

What this course teaches

Ten modules across four phases. MF0 and MF1 are free — no account required.

Phase 1 — Foundations (MF0, MF1). You are here now. MF0 establishes the memory forensics landscape — the four categories of attack where memory evidence is decisive, the three-category artefact taxonomy (volatile structures, ephemeral data, transient artefacts), the six-phase Memory Forensics Workflow (Acquire → Identify → Enumerate → Analyse → Correlate → Conclude), physical vs. virtual memory, Volatility 3 and MemProcFS tool orientation, evidence reliability assessment, and the Northgate Engineering scenarios. MF1 teaches memory acquisition — building the three-VM lab (Kali attacker, Windows target, Linux target), capturing clean baseline memory with WinPmem and LiME, verifying capture integrity, and establishing the acquisition discipline used in every subsequent module.

Phase 2 — Windows Memory Analysis (MF2–MF6). Five modules covering every major Windows memory attack category. Process injection — reflective DLL injection, process hollowing, APC injection, analyzed through VAD regions, malfind output, and injected-code identification (MF2). Credential theft — LSASS memory analysis, Mimikatz artifact identification, credential extraction detection, and the difference between active and cached credentials in memory (MF3). Fileless malware — PowerShell in-memory execution, .NET assembly loading, WMI event subscriptions, and the memory artifacts that fileless techniques leave despite producing no disk evidence (MF4). Persistence — registry-backed persistence in memory, scheduled task structures, service entries, and how persistence mechanisms appear in memory before and after reboot (MF5). Windows kernel-level compromise — kernel rootkits, DKOM (Direct Kernel Object Manipulation), SSDT hooks, driver analysis, and the structural verification techniques that detect kernel tampering (MF6).

Phase 3 — Linux Memory Analysis (MF7). One module covering Linux-specific memory analysis — process structures, kernel module enumeration, rootkit detection, network connection analysis, and the differences between Linux and Windows memory forensics using Volatility 3's Linux plugins.

Phase 4 — Integration and Capstone (MF8, MF9). Memory timeline construction and multi-source correlation — building timelines from memory evidence, correlating memory findings with disk and log evidence, and the analysis methodology that produces a coherent investigation narrative from multiple evidence sources (MF8). Capstone — a full attack-chain investigation (INC-2026-0315) where you analyse memory from a multi-stage compromise with no guidance, applying every technique from the course (MF9).

You should study the course linearly. Each module's attack builds on the lab environment from the previous module, and analysis techniques compound — process injection analysis (MF2) is prerequisite for fileless malware analysis (MF4), and credential theft analysis (MF3) requires understanding injection artifacts.

Who this course is for

This is a specialist course for practitioners with existing forensic or investigation experience who want to add memory forensics to their capability.

DFIR practitioner who hits cases where disk analysis isn't enough. You investigate incidents with KAPE, EZ Tools, and event log analysis. But you've encountered cases where the attacker used reflective injection, fileless malware, or in-memory credential theft — and the disk had nothing. This course builds the memory-side expertise that closes those investigations.

Detection engineer building detections for memory-resident threats. You write detection rules for endpoint telemetry. Understanding exactly what each attack looks like in memory — the VAD flags, the parent-child process anomalies, the injected regions — makes your detections more precise. The course teaches the evidence structure your detections need to catch.

SOC analyst moving into advanced investigation. You want hands-on exposure to attacker techniques without committing to a full offensive security course. The attack-capture-analyse model gives you controlled offensive experience in a lab, with the focus on the defensive analysis.

Threat hunter who needs to recognize memory artifacts. You hunt proactively in endpoint telemetry. Understanding the underlying memory structures — what a hollowed process looks like in the VAD tree, what credential theft leaves in the LSASS address space — makes your hunting hypotheses more targeted.

Red teamer cross-training into blue. You already know the offensive side. This course shows what your tradecraft looks like from the defender's seat — the specific memory artifacts that every injection technique, every credential dump, every persistence mechanism leaves behind.

Prerequisites

Two required, one strongly recommended.

Windows forensic investigation experience. You should have completed the Practical IR (Windows) course or have equivalent experience. You should be comfortable with KAPE collection, EZ Tools parsing, event log analysis, and basic timeline construction. This course assumes you can already investigate a Windows incident. It teaches you to investigate the memory layer.

Comfort with command-line tools. You'll run Volatility 3 commands from the terminal throughout the course. You should be comfortable with command-line tools and their output. No scripting is required — the course provides complete commands — but you need to navigate terminal output without difficulty.

Strongly recommended: Practical IR (Windows) or Advanced Windows Forensic Analysis. The investigation methodology, the NE environment, and the tool proficiency from these courses are assumed throughout. MF0 covers the memory-specific foundations, but general forensic investigation methodology is treated as background knowledge.

Nothing else is required. No programming, no kernel development, no reverse engineering. The course teaches memory analysis using Volatility 3 (free, open source) and MemProcFS (free, open source).

Lab setup

A three-VM lab: Kali (attacker), Windows target, Linux target. You build it in MF1.

Kali VM (attacker). Kali Linux with Metasploit, Mimikatz cross-compiled binaries, and scripted attack playbooks provided per module. Used to execute the attacks against target VMs. 2 GB RAM, 40 GB disk.

Windows target VM. Windows 10/11 evaluation with WinPmem installed for memory acquisition. The target you attack and capture. 4 GB RAM minimum (memory images scale with VM RAM — 4 GB VM produces a ~4 GB memory image).

Linux target VM. Ubuntu Server with LiME for memory acquisition. Target for MF7 (Linux memory analysis). 2 GB RAM, 20 GB disk.

Analysis workstation. Your host machine or a dedicated analysis VM. Volatility 3 and MemProcFS installed. Python 3 for Volatility. 16 GB RAM recommended (Volatility needs headroom to process multi-GB memory images). 100+ GB free storage for memory images across modules.

Hardware requirements. 16 GB RAM minimum to run the attacker VM and one target VM simultaneously. 32 GB recommended for comfortable operation with analysis tools running in parallel. SSD strongly recommended — memory image processing is I/O intensive.

No hosted sample images. The course does not provide pre-captured memory images (except synthetic plugin output in MF0 Try-its). From MF1 onward, you capture your own images by running the attack and acquiring memory from your own target VMs. This is deliberate — the attack-capture-analyse model means you know exactly what should be in the image because you put it there.

What you can skip: you don't need to build the lab before starting MF0. The first module is the evidence landscape — concepts, taxonomy, and methodology. Build your three-VM lab when you reach MF1. MF0 Try-its use synthetic plugin output provided inline — no tools or images required.

How the course is structured

Every module from MF2 onward follows the attack-capture-analyse cycle.

Attack playbook. Each paid module has a standalone attack playbook page — the complete end-to-end attack commands, expected output, and troubleshooting. You can have the playbook open alongside the analysis subs. The playbook teaches you what the attack does; the analysis subs teach you what it looks like in memory.

Objective header. The investigation question the subsection answers, the memory artifact it examines, and the time estimate.

Diagram. Every subsection has an SVG diagram — the memory structure at the conceptual or process level, the attack flow, the VAD layout, or the analysis decision tree. Both conceptual SVGs (taxonomy, relationships) and process SVGs (annotated plugin output, hex-level structure) appear throughout.

Guided procedure. Numbered steps with expected output and failure branches. The analysis procedures are specific and verifiable at every step — run this Volatility command, see this output, interpret this field.

Checkpoint. Three self-diagnostic questions at the end of each subsection. Phrased as specific capabilities: "classify a malfind finding into volatile/ephemeral/transient and defend the classification in one sentence."

Try-it. Analyse the evidence yourself. In MF0: synthetic plugin output provided inline (paper-based analysis). In MF1: your first real capture. In MF2 onward: your own attack's memory image. Four components: Setup, Task, Expected Result, Debugging Branch.

Decision Point. Forensic judgment calls — is this memory region injected or legitimate, is this process hollowed or normal, does this credential artifact indicate active compromise or cached history.

Compliance Myth. Memory forensics misconceptions — "memory evidence is too volatile to be reliable," "you need a kernel debugger for memory forensics," "fileless means no evidence."

Artifact footer. The operational artefact — a Volatility command reference, an analysis checklist, a classification decision tree, a reporting template.

Module completion pattern. Each module has content subsections (ten to twelve), a module summary, and a Check My Knowledge subsection with scenario-based questions. MF2 (process injection) and MF6 (kernel compromise) are the densest modules.

Time per phase

The course is self-paced. No cohorts, no deadlines, no streaks. This is a Specialist-tier course — expect slower pace than standard courses. Each module involves running attacks, capturing memory, and performing analysis — the lab work takes real time.

Phase 1 (MF0, MF1): Two to three evenings. MF0 is the evidence landscape and methodology. MF1 is lab build and first baseline capture — plan a half day for the three-VM setup.

Phase 2 (MF2–MF6): Six to eight weeks at five to eight hours per week. Five modules covering every Windows memory attack category. MF2 (process injection) and MF6 (kernel compromise) are the longest — plan extra time for the kernel-level analysis.

Phase 3 (MF7): One to two weeks. One module covering Linux memory analysis.

Phase 4 (MF8, MF9): Two to three weeks. MF8 is timeline construction and correlation. MF9 (capstone) requires a full weekend — a complete multi-stage investigation with no guidance.

Full course at five to eight hours per week: twelve to sixteen weeks. The attack-capture-analyse cycle means each module takes longer than a reading-only course — budget time for the lab work.

Start here

Go to MF0.1 next. It establishes the four categories of attack where memory evidence is decisive — the investigations where disk forensics alone cannot close the case. Understanding why memory matters is the foundation for committing to the lab work that follows.

After MF0.1, the remaining MF0 subsections cover the three-category artefact taxonomy, the six-phase Memory Forensics Workflow, physical vs. virtual memory, Volatility 3 and MemProcFS tool orientation, WinDbg as a complementary tool, evidence reliability and confidence assessment, the legal context for memory evidence, the NE scenarios, lab setup, and a scenario-based knowledge check.

Work through MF0 in order. The artefact taxonomy from MF0.2 and the workflow from MF0.3 are the framework every subsequent module applies.