In this module

MF0.5 Volatility 3 and MemProcFS — The Analysis Framework

Module 0 · Free

What you already know

From MF0.1-0.4 you know why memory forensics matters, what lives in memory, how the six-phase workflow runs, and how addressing works. What you don't know yet is which tools you'll be running every step of the workflow with. This sub establishes the two that matter: Volatility 3 as the primary structural-analysis framework, and MemProcFS as the complementary filesystem-view tool.

Operational Objective

Memory forensics has two mainstream open-source tools in 2026 and most practitioners learn them incorrectly. Volatility 3 replaced Volatility 2 in 2020, but the majority of online tutorials, courses, and reference material still teach Volatility 2 — leading practitioners to run V2 commands against V3, be confused when nothing works, and fall back to whichever version they found a working tutorial for.

MemProcFS is the newer filesystem-view approach that many senior practitioners rate as faster for initial triage than Volatility 3, but institutional DFIR training rarely teaches it at all, leaving it as something practitioners "figure out eventually" rather than learn systematically. The consequence is wasted time on every investigation — tutorials that don't apply, commands that fail silently, tool choices made from which tutorial the practitioner found rather than which tool fits the task.

This subsection establishes the correct tool landscape for 2026: Volatility 3 as the primary structural-analysis framework, MemProcFS as the complementary filesystem-view tool that accelerates specific workflows, and the decision logic for choosing between them on any given question. The practitioner completing this subsection stops googling "volatility" and getting six-year-old tutorials; they know what each tool does, when each is correct, and how to use them in combination.

Deliverable: Working knowledge of Volatility 3's architecture (contexts, symbols, requirements, plugins) and how it differs from Volatility 2, MemProcFS's filesystem-view model and the advantages it produces, the decision criteria for choosing Volatility 3 versus MemProcFS for any given analytical question, the combination patterns where using both in parallel accelerates investigation, and the tool-selection rule that determines which tool runs on any given question.

Estimated completion: 40 minutes

Volatility 3 and MemProcFS are not competitors. They're complementary projections of the same memory image. Volatility 3 answers structured questions (the plugin you ran produced the CSV you needed). MemProcFS lets you navigate the image as a filesystem, which is faster for browsing-style triage. Mature practitioners use both on the same case.

A memory image is just bytes until a tool gives the bytes structure. The two mainstream open-source tools that do this in 2026 are Volatility 3 and MemProcFS, and they take radically different approaches. Volatility 3 is a plugin framework — you ask a specific question (windows.pslist, windows.malfind, windows.netscan) and the plugin runs, parses the relevant kernel structures, and produces structured output. MemProcFS is a filesystem projection — it mounts the memory image as a virtual drive and presents processes, files, handles, and kernel objects as folders and files that any filesystem-aware tool can read. The mental model for Volatility 3 is "query the memory." The mental model for MemProcFS is "browse the memory." Both mental models produce correct answers on the same image; each is faster than the other for specific questions.

The first thing to get right about Volatility is that Volatility 3 is not Volatility 2. They share a name, an origin, and a philosophy, but they are architecturally different tools with different command syntax, different plugin names, and different capabilities. Volatility 2 (released 2007–2020) required a separate "profile" per target OS — downloadable profile packs for every Windows build, custom-built profiles for Linux kernels. Volatility 3 (released 2020, actively developed) replaced profiles with symbol-based analysis, pulling debug symbols from Microsoft's symbol server or generating them from Linux kernel debug packages. The command structure changed from volatility -f image --profile=Win10x64_19041 pslist (V2) to vol -f image windows.pslist (V3). Every V2 tutorial showing the first form produces an error on V3. The majority of search results when you google "volatility" still point to V2 tutorials, which is why practitioners starting now waste hours on non-working commands before realising what happened.

Extended context — symbol architecture and air-gapped analysis

The symbol-based architecture of Volatility 3 is worth understanding because it affects every investigation. In V2, each memory image required you to know the OS version and download the matching profile package before analysis could start. Profile mismatches produced either loud errors (the plugin crashed) or — worse — quiet corruption (the plugin ran but reported fields from wrong memory locations because the structure offsets didn't match). In V3, the framework identifies the OS and version from the image itself, then pulls the matching symbols on demand. For Windows, symbols come from Microsoft's public symbol server (msdl.microsoft.com) and are cached locally after first download. For Linux, symbols come from dwarf2json conversion of the kernel's debug package, which must be obtained for the exact kernel version.

This means V3 assumes internet access for first-use on any given Windows build. For air-gapped analysis workstations (forensic labs that intentionally isolate analysis systems), symbols must be pre-staged: download them on a connected system first, copy them to the analysis workstation's symbol cache. V3 documents this workflow explicitly in its PDB-SERVER.md reference, but practitioners coming from V2 rarely think about it until their first air-gapped analysis fails.

Volatility 3's architecture — contexts, symbols, requirements, plugins

Volatility 3 operates on four concepts that every investigation uses whether the practitioner knows about them or not. Contexts are the runtime environment — the memory image, the symbol table, the OS identification, the configuration state. Every plugin execution creates a context. Symbols are the structure definitions (field names, offsets, sizes) for the specific OS version the image was captured from; Volatility 3 pulls them automatically for Windows and generates them from debug info for Linux. Requirements are the parameters a plugin needs (a memory image path, an optional PID filter, an optional output directory for dumps); plugins declare their requirements and the framework validates them. Plugins are the executable units of analysis — windows.pslist, windows.malfind, linux.pstree, and so on. Every plugin operates within a context, uses symbols to parse memory, accepts its declared requirements, and produces structured output.

For practical use, the investigator cares about two of these: which plugin to run, and whether the symbols resolve correctly. The other two operate transparently. Plugin selection is covered in depth in later modules — MF3 covers process-memory plugins, MF4–MF6 cover Windows-specific plugins, MF7–MF8 cover Linux-specific plugins. For MF0 the key point is that Volatility 3's plugin catalogue is organised by OS (windows., linux., mac.*) and by structure type within OS (windows.pslist, windows.psscan, windows.netscan). Running vol --help lists every available plugin; running vol windows.pslist --help documents the specific plugin's requirements.

Volatility 3's output model is command-line structured text by default — human-readable tables that tools like awk, grep, and jq can post-process. Adding -r csv or -r json produces machine-readable output for automated analysis. The scriptability matters for documentation: an investigation whose commands were run with -r csv | tee phase3-pslist.csv produces saveable evidence that becomes part of the case file exactly as the plugin reported it. An investigator who ran plugins interactively and then transcribed results into their notes has introduced a transcription layer that opposing experts can challenge. Command-and-output redirection eliminates that layer.

MemProcFS's model — filesystem projection, browse rather than query

MemProcFS takes a completely different architectural approach. Instead of providing plugins that answer specific questions, it mounts the memory image as a virtual filesystem (on Windows: a drive letter; on Linux: a FUSE mount point). Every running process becomes a folder under name/. Every file the process has open becomes a file under that process's folder. Kernel objects, registry hives, network connections, loaded DLLs, handles — all appear as navigable filesystem entries. The practitioner examines memory by running cd, ls, cat, and type, not by recalling plugin names.

The practical difference shows up in triage speed. Asking "what's in this memory image" in Volatility 3 means knowing which plugins to run and remembering their names — windows.pslist, windows.netscan, windows.cmdline, windows.malfind, windows.dlllist, and so on. The plugin names are the vocabulary you need, and missing a plugin means missing the evidence. Asking "what's in this memory image" in MemProcFS means navigating the filesystem tree under M:/ (or wherever you mounted it) — no vocabulary needed, everything that exists is visible as folders. An investigator unfamiliar with the memory image can explore it in MemProcFS the way they'd explore an unfamiliar disk: by walking the directory structure and opening files that look interesting.

Concretely, here is the same analytical question — "what command line was PID 4872 launched with?" — answered both ways. In Volatility 3:

# Must know the plugin name (windows.cmdline) and the required argument (--pid)
$ vol -f NE-FIN-014-mem.raw windows.cmdline --pid 4872

# Expected output:
#
# PID   Process         Args
# 4872  powershell.exe  powershell.exe -nop -w hidden -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4A...

Plugin-driven query. The investigator needed to know that windows.cmdline is the plugin name, that --pid is how you filter to a specific process, and that the output would be command-line text. If they'd forgotten any of these, they'd have needed to look them up.

The same question in MemProcFS:

# Mount the image once; browse like a filesystem.
$ MemProcFS.exe -device NE-FIN-014-mem.raw -mount M:
# Navigate to the process. Every running process is a folder under M:/name/
$ cat /mnt/M/name/powershell.exe-4872/cmdline.txt

# Expected output (contents of the file):
#
# powershell.exe -nop -w hidden -enc JABjAD0ATgBlAHcALQBPAGIAagBlAGMAdAAgAE4A...

Browse-driven discovery. The investigator navigated to the process folder (which appeared in the filesystem tree once the image was mounted) and read the command-line value as if it were a text file. No plugin name to remember; the information was exposed as a file the investigator could see by listing the directory.

Same answer from both tools. The difference is the cognitive model: Volatility 3 is faster when the investigator already knows what to ask; MemProcFS is faster when the investigator is exploring to find what's there. Both tools use the same underlying kernel structures, so there is no "more accurate" option. There is only "better fit for the current question."

Extended context — MemProcFS directory layout and analytical depth tradeoffs

MemProcFS exposes much more than running processes. Under the mount point there are top-level folders for name/ (processes by image name), pid/ (processes by PID), sys/ (system information — handles, objects, kernel modules, memory map), registry/ (all loaded registry hives as a navigable tree), misc/ (process tree as a text file, network connections as a text file, web history extracted from browser processes, and more), and forensic/ (specialised forensic extraction modules including YARA scanning, PE reconstruction, and credential extraction). The filesystem model means every one of these appears as browsable folders; the investigator discovers what's available by navigating rather than by reading plugin documentation.

The cost of this model is that MemProcFS's analytical depth on any single artefact is shallower than Volatility 3's dedicated plugin. M:/forensic/malfind/ lists candidates for injected code but in less detail than vol ... windows.malfind. M:/registry/ exposes the hives but the structured registry-timestamp analysis is better in Volatility 3. The optimal workflow uses MemProcFS for fast initial orientation (what's in this image, what looks interesting, which processes warrant deep analysis) and switches to Volatility 3 for the deep analysis phase.

When each tool is correct

The decision between Volatility 3 and MemProcFS rarely comes down to "which is better." It comes down to "which is better for this question." Four patterns cover most investigations.

Use Volatility 3 when the question is specific and structured. "Extract all injected code from the image." "Reconstruct the PE of the DLL at virtual address 0x7ff8a2100000." "Dump the handle table for PID 4872 and parse the file handles." These are plugin-shaped questions with plugin-shaped answers. The output is saveable to CSV, forms part of the documentation record, and produces exactly the structural depth the later phases of the investigation need.

Use MemProcFS when the question is exploratory or filesystem-shaped. "What's in this memory image?" "Browse the process tree and open anything interesting." "Show me this process's open file handles — just let me see them, don't dump them." These are browse-shaped questions. MemProcFS gets you to the answer faster because you don't need to know the plugin name in advance.

Use both in parallel when the investigation is multi-phase. MemProcFS mounted in one window for quick orientation; Volatility 3 running in another window for dedicated analysis tasks. The two tools share no state — both operate on the same read-only image — so running both simultaneously is safe. Many senior practitioners work this way by default: MemProcFS for "what about..." questions, Volatility 3 for "now dump this specific region..." tasks.

Use Volatility 3 exclusively when the output needs to be reproducible documentation. MemProcFS sessions are interactive and stateful; you cannot easily record what you did as a replayable script. Volatility 3 commands are exactly the reverse — every analysis is a command-line invocation that can be captured, replayed, and cited in the case record. For investigations heading for court, regulatory review, or HR proceedings, Volatility 3's command-line-first approach gives you the audit trail. MemProcFS is still valuable for exploration during those investigations, but the final documented analysis should use Volatility 3 commands whose output is captured as evidence files.

Guided Procedure — Run the same question against both tools and compare

The point of running Volatility 3 and MemProcFS against the same question isn't redundancy — it's confirming both tools are installed correctly and producing coherent output. This procedure uses a single question (list processes in a memory image) to exercise both tool pipelines end to end. Paper-based: the synthetic output below represents what each tool would show against a clean Windows 11 capture.

Step 1 — Run `windows.pslist` in Volatility 3. Against a clean Windows 11 image, execute `vol -f testimage.raw windows.pslist`. Volatility 3 walks the `ActiveProcessLinks` list, printing one row per process with PID, parent PID, image name, threads, handles, session, create time, and exit time.

Expected output: A tabular listing, roughly 80-150 rows on a typical Windows 11 endpoint. The table header reads `PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime` and each row follows that shape. The output is structured for grep/awk downstream.

If it fails: Zero rows means Volatility 3 couldn't find the kernel — usually a symbol mismatch. Run `vol -f testimage.raw windows.info` to confirm the OS was identified; if `KernelFileVersion` is blank, the symbol download failed (check internet access) or the build is newer than the installed symbol pack (`pip install --upgrade volatility3`).

Step 2 — Mount the same image in MemProcFS. Execute `MemProcFS.exe -device testimage.raw` on Windows (or the Linux equivalent with FUSE). MemProcFS prints a banner showing OS detection, kernel base, and the mount point (typically `M:\` on Windows). Leave it running in its own terminal.

Expected output: MemProcFS banner reports successful OS detection matching Step 1's Volatility output, with a drive letter / mount point assigned. Control returns to you at the MemProcFS prompt; the mount persists while that terminal stays open.

If it fails: If MemProcFS reports "unsupported OS" or prints garbled banner fields, the image is either corrupt or the MemProcFS version predates the Windows build. Re-verify the acquisition hash; update MemProcFS from the GitHub releases page if the hash matches.

Step 3 — Browse to the process list in MemProcFS. In a second terminal, `dir M:\name\` (or the equivalent ls on Linux). The folder contains one subdirectory per running process, named `-`. The count should roughly match Volatility 3's Step 1 row count.

Expected output: Folders like `System-4`, `svchost.exe-832`, `explorer.exe-4104`, etc. Folder count within 5-10 of the Volatility 3 pslist count — small discrepancies are expected (MemProcFS includes terminated-but-not-yet-reaped processes that pslist filters out).

If it fails: Empty folder means MemProcFS mounted but didn't parse the process list. Most commonly this means the image was acquired incorrectly (partial capture). Check MemProcFS's banner from Step 2 for parse warnings; if it reported "successful" but `name\` is empty, re-acquire the image.

Step 4 — Spot-check one process across both tools. Pick any PID from Volatility 3's Step 1 output, say PID 832. In MemProcFS, navigate to `M:\pid\832\` and list the folder. You should see `name.txt`, `cmdline.txt`, `handles/`, `modules/`, `vmem/`, and others. Open `cmdline.txt` — its contents should match what `vol -f testimage.raw windows.cmdline --pid 832` reports in Volatility 3.

Expected output: Both tools report the same command line for the same PID. The exact string format matches between them — MemProcFS's `cmdline.txt` is literally the command-line buffer from the PEB, which is what Volatility 3's `windows.cmdline` reads.

If it fails: If the strings differ between tools, something is wrong with one of them. Most commonly it's symbol drift in Volatility 3 (MemProcFS reads raw kernel structures directly; Volatility 3 uses symbol-named field offsets that can drift if the symbol pack is out of date). Update Volatility 3's symbols and re-run Step 1.

With both tools producing coherent output for the same image, the workstation is ready for course exercises. Volatility 3 handles the structured-query workflow; MemProcFS handles the exploratory-browse workflow. Real investigations typically run both in parallel on the same image.

Decision Point

The situation. Your senior analyst asks for "a quick extract — what's interesting in that image — I need to brief the CISO in 40 minutes." You have both tools installed. The tempting choice is to reach for MemProcFS because it's faster for "what's interesting" questions — mount the image, browse the process tree, click into the suspicious process, open its handles, show the analyst what you find.

The choice. MemProcFS for speed, Volatility 3 for documented commands, or both in a mixed workflow.

The correct call. Ask first where the brief ends. For an internal note that never leaves the IR team, MemProcFS alone is fine — explore, screenshot what matters, write the note. For an executive summary the CISO might file internally, produce the answers in MemProcFS but reproduce the key findings with Volatility 3 commands so the documentation record contains reproducible commands alongside the screenshots. For a report heading for the incident register (logged, retained, potentially disclosed), use Volatility 3 from the start — every finding should have a cited vol -f ... command as the evidence source, and MemProcFS exploration is documented as "orientation, not reportable findings."

The operational lesson. Time pressure doesn't change the rule; it changes the narrative you give back. "40 minutes with a reportable output means I'll show you MemProcFS findings with Volatility 3 corroboration for the three things that actually matter; everything else stays in exploration mode." The senior analyst gets the brief they need, the record gets the reproducibility it needs, and you haven't silently downgraded the documentation standard under time pressure.

Compliance Myth: "Use Volatility 2 if you find a tutorial for it — the tool is the same"

The myth. Volatility 2 and Volatility 3 both analyse memory images. The fundamentals are the same. A tutorial for V2 can be followed with V3 just by adjusting the syntax. Most memory analysis techniques work on either version.

The reality. Volatility 2 has been in maintenance-only status since 2020. It receives no new plugins, no new OS version support, and no new features. Any tutorial written for V2 is at best five years out of date on the attacker techniques and operating system versions it covers.

The plugin names, command syntax, profile system, and output format are different between V2 and V3 — not superficially different, but architecturally different. A practitioner who follows a V2 tutorial on a V3 installation either hits errors immediately (the command syntax doesn't parse) or, worse, hits silent behaviour mismatches where the V3 plugin with a similar name does something subtly different.

V3 is the tool currently maintained, and V3 is what this course teaches. The 2026 reality is that the majority of top-ranked search results for "volatility tutorial" still point to V2-era material because that material accumulated pagerank over a decade. Ignore it. The authoritative V3 documentation is at volatilityfoundation.github.io/volatility3/, and any training material written since 2021 that uses --profile rather than auto-symbol-resolution is teaching from outdated foundations.

MF0.6 — WinDbg for Memory Forensics. Volatility 3 and MemProcFS handle routine analysis; WinDbg handles the cases where you need to validate kernel structures independently. MF0.6 covers when WinDbg is the right tool, how to load a memory image into it, and the minimum command set for structure-level validation of Volatility findings in reports that will face adversarial review.

Try it — Verify both tools operate coherently against the same image

Setup. Install Volatility 3 via pip install volatility3 into a fresh Python virtualenv. Install MemProcFS from the ufrisk/MemProcFS GitHub releases page (Windows) or from your package manager / source build (Linux). Pick a small test image — capture your own workstation with WinPmem if nothing else is available, or use any memory sample from the Volatility Foundation or your own Target-Win clean baseline.

Task. Run three checks. (1) vol -f testimage.raw windows.info — confirm the OS identification resolves correctly and the KernelFileVersion field is populated. (2) vol -f testimage.raw windows.pslist | head -20 — confirm the process listing returns rows. (3) Mount the same image with MemProcFS (MemProcFS.exe -device testimage.raw on Windows, or memprocfs -device testimage.raw -mount /mnt/mem on Linux), navigate to the pid/ folder, and open any process's folder to see its structure exposed as files.

Expected result. Volatility 3's windows.info identifies the OS with a populated kernel version. windows.pslist returns a tabular listing with headers and rows. MemProcFS mounts without warnings and the pid/ folder contains one subfolder per running process, each with name.txt, cmdline.txt, handles/, and related per-process files accessible as normal filesystem entries.

If your result doesn't match. If windows.info hangs on "downloading symbols," internet access is blocked or the workstation is air-gapped — see the extended artifact footer for the pre-staging procedure. If windows.pslist returns zero rows, Volatility 3 couldn't locate the kernel (check KernelFileVersion from windows.info). If MemProcFS reports "unsupported OS" or shows empty pid/ folders, the image is either corrupt (re-verify acquisition hash) or the MemProcFS version predates support for the target Windows build (update from the GitHub releases page).

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. State one structural difference between Volatility 2 and Volatility 3 that changes how plugin invocations are written, and give the V3 equivalent of a V2 `--profile=Win10x64_19041` argument. (§ Volatility 3's architecture)

2. Explain in one sentence why MemProcFS's filesystem-view model fits exploratory triage better than Volatility 3's plugin model. (§ MemProcFS's model)

3. Given an analytical question, decide which tool (Volatility 3, MemProcFS, or both) fits it best. Example: "produce an evidence archive of every injected DLL in the image." (§ When each tool is correct)

Operational Artifact — Tool Selection Decision Matrix

Choose between Volatility 3 and MemProcFS by matching the analytical question to the tool's model. Five recurring question patterns cover most investigations; each maps to a specific tool or combination.

"Run a specific known analysis on this image." Use Volatility 3. Examples: "dump all injected code," "list all TCP connections owned by PID X," "extract credentials from LSASS." Output is structured, scriptable, and captures cleanly into the case record.

"What's in this image, what looks interesting?" Use MemProcFS. Examples: "browse the process tree," "see what PowerShell was doing," "skim open handles across all processes." The filesystem-view model gets you to orientation faster than looking up plugin names in advance.

"Continue investigation across multiple phases." Use both. MemProcFS for fast exploration between analysis tasks; Volatility 3 for the tasks themselves. Running both simultaneously against a read-only image is safe.

"Produce documented evidence for a case record." Use Volatility 3. Command-line invocations are reproducible and capturable; MemProcFS sessions are interactive and less auditable. Use MemProcFS during exploration and Volatility 3 for the final evidence commands that will appear in the report.

"Teach a junior analyst memory analysis basics." Start with MemProcFS for exploration, then transition to Volatility 3 for structural depth. The filesystem model flattens the initial learning curve; the plugin model provides the analytical depth for real investigations.

Extended reference — symbol management, empty-output diagnosis, and air-gapped analysis

Volatility 3 plugin returned no output. Three common causes. First, profile mismatch on an uncommon Windows build: check vol -f image windows.info to confirm the OS was identified; if symbols didn't resolve, the plugin silently returned empty. Second, a genuinely empty result — the plugin ran correctly but there were no matching objects (no injected code, no network connections, no hidden processes). Third, an incorrect plugin for the target OS: running windows.pslist on a Linux image produces empty output because Linux images have no EPROCESS structures. Confirm OS with vol -f image windows.info or vol -f image linux.info before troubleshooting further.

MemProcFS mounted but directories are empty or partial. The image was acquired incorrectly (partial capture, wrong file format) or the MemProcFS version predates support for the target OS build. Check MemProcFS's banner at mount time — it prints OS detection and version info, plus warnings about anything it couldn't parse. If detection succeeded but folders are empty, re-verify the acquisition hash against the acquisition record.

Air-gapped workstation and Volatility 3 hangs on "downloading symbols". Pre-stage the symbol cache. Run the analysis once on a connected system to populate the local cache, then copy the cache folder (~/.cache/volatility3/ on Linux, %LOCALAPPDATA%\volatility3\ on Windows) to the air-gapped workstation. Volatility 3 will use cached symbols without attempting the download. Alternative: run a local symbol server on the air-gapped network that mirrors Microsoft's symbol server for the Windows builds your organisation encounters. V3's PDB-SERVER.md reference documents this workflow explicitly.

Symbol cache behaviour. A typical .volatility3 cache folder accumulates a few hundred megabytes of symbols after analysing a dozen Windows images. Windows symbols come from Microsoft's public server (msdl.microsoft.com). Linux symbols come from dwarf2json conversion of the kernel's debug package, obtained for the exact kernel version. The cache is per-workstation and portable — copy it between workstations to share the download cost.

V2 migration gotchas. Tutorials using --profile=Win10x64_19041 are for Volatility 2. V3 has no --profile argument; it auto-detects. Invocation format changes from volatility -f image --profile=X pslist (V2) to vol -f image windows.pslist (V3). If a tutorial uses the binary name volatility (not vol), .py plugin references, or mentions downloading profile packs, it's V2-era material — find V3-specific documentation at volatilityfoundation.github.io/volatility3/.

An NE incident response engagement has three parallel analysis tasks on the same memory image from NE-FIN-014: (1) Investigator A is exploring the image for the first time, trying to orient herself to what processes are running and which look unusual; (2) Investigator B has been asked to dump every injected code region from the image and produce an evidence archive for legal; (3) Investigator C is writing a detailed investigation report that will be submitted to the CISO, and needs command-level records of every analysis step performed. Which tool (Volatility 3, MemProcFS, or both) is most appropriate for each investigator, and why?

All three investigators should use Volatility 3 exclusively. MemProcFS is a newer tool with less mature plugin coverage and should be avoided for serious work. Volatility 3's plugin library covers everything the investigators need.

All three investigators should use MemProcFS. Its filesystem model is more intuitive than Volatility 3's plugin system, and any investigation that can be performed with Volatility 3 can also be performed with MemProcFS. The filesystem model also makes collaboration easier since multiple investigators can mount the same image.

Investigator A (exploratory orientation) is best served by MemProcFS — the filesystem-view model lets her browse the image's process tree, open handles, and memory regions without needing to know plugin names in advance; the model matches her exploratory task. Investigator B (dump every injected code region as evidence) is best served by Volatility 3 — the task is specific and structured (windows.malfind and windows.vadinfo --dump), the output goes into an evidence archive that must be reproducible, and the plugin model produces exactly the structured output the task requires. Investigator C (investigation report with command-level records) needs Volatility 3 for the evidence-bearing analysis commands (each command and its output becomes part of the report's methodology appendix) but may use MemProcFS alongside during exploration; the final documented analysis uses Volatility 3 commands whose output was captured to files.

Investigator A should use Volatility 3 since orientation requires running every standard plugin to see what's in the image; Investigator B should use MemProcFS since browsing to the injected code regions is faster than running windows.malfind; Investigator C should use whichever tool they prefer since both produce equivalent output.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →