In this module

MF0.6 WinDbg and the Kernel Debugger Perspective

Module 0 · Free

What you already know

From MF0.5 you know Volatility 3 and MemProcFS — the analyst's daily-driver tools. What you don't know yet is when to reach for WinDbg, the Microsoft kernel debugger, as the third tool in the kit. It's not a replacement for either, and it's not the tool for routine investigations. But for high-stakes reports where adversarial review is likely, WinDbg is often the tool that takes a Volatility finding from "plausible" to "independently verified."

Operational Objective

WinDbg is Microsoft's kernel debugger. It is not a memory forensics tool, but it is the tool memory forensics practitioners reach for when Volatility 3 and MemProcFS can't answer the question — when a kernel structure needs to be examined at the debugger level, when a rootkit is manipulating the structures Volatility 3 reads, when a novel technique needs reverse-engineering, or when expert testimony requires showing the raw kernel object rather than a plugin's interpretation of it.

Most practitioners never learn WinDbg for memory forensics because institutional training treats it as a separate specialism — something kernel developers use, not something DFIR practitioners need. This leaves a gap: the investigator who hits a case Volatility 3 can't fully explain has no fallback, and hands the case to someone else or proceeds without the evidence WinDbg would have revealed.

This subsection introduces WinDbg at the level a memory forensics practitioner needs. Not the kernel developer's level, not the exploit developer's level — the narrow, task-specific command set used to validate Volatility findings, examine kernel structures directly, and perform the structural analysis that rootkits defeat at the plugin level but not at the debugger level. The practitioner who completes this subsection has a fourth tool (after Volatility 3, MemProcFS, and their own eyes on hex bytes) for the cases where the first three aren't enough.

Deliverable: Understanding of WinDbg's role in memory forensics (validation, not primary analysis), the three categories of question where WinDbg adds value over Volatility 3, the minimum command set for kernel structure analysis (!process, dt, !pool, !poolfind, u, db, !for_each_process), how to load a memory image as a dump file for post-mortem analysis, the symbol-resolution workflow that WinDbg requires, and when to pick WinDbg versus Volatility 3 for a given structural question.

Estimated completion: 35 minutes

Three question categories where WinDbg is the correct memory forensics tool. For the 80% of analysis questions that don't fall into these categories, Volatility 3 is faster and produces better-documented output. WinDbg earns its place on the decisive 20%.

WinDbg is a debugger, not a memory forensics tool. It was designed for live kernel debugging — attaching to a running Windows system over a serial cable, USB, or network, pausing execution, examining state, resuming. Memory forensics practitioners use it in a different mode: post-mortem analysis of a crash dump or memory image, examining the recorded state without any debugged system attached. In this mode, WinDbg is slower, less automated, and less forensically structured than Volatility 3 — which is why it's not the primary memory forensics tool. But it has access to something Volatility 3 doesn't: Microsoft's authoritative kernel structure definitions, loaded symbols from the public symbol server, and the debugger's own structure-dumping commands that work on every Windows version Microsoft has ever shipped.

For most memory forensics questions, that matters less than you'd think. Volatility 3 uses the same Microsoft symbols — when it parses an EPROCESS, it's using the same structure definition WinDbg would show. The difference is that Volatility 3 presents the parsed result as structured plugin output, while WinDbg shows you the raw structure at the debugger level. Most of the time, the Volatility 3 presentation is what you want: it's easier to read, it fits into the documentation workflow, and it covers 80% of investigation questions. WinDbg is for the 20% where you need to look at the structure itself rather than a plugin's view of it.

Extended context — professional-community split and this course's WinDbg scope

The historical separation between "memory forensics" and "kernel debugging" is more about professional communities than technical difference. Kernel developers at Microsoft, driver developers, exploit developers, and blue-team reverse engineers grew up using WinDbg for live-system analysis. DFIR practitioners grew up using Volatility (2 then 3) for memory image analysis. The two communities had overlapping but distinct tools and vocabulary, and training programmes split along those lines. In reality, both communities examine the same kernel structures using the same Microsoft-provided symbols — and a practitioner who learns both can move between communities without friction.

The practical consequence for this course: WinDbg is treated as a supplementary tool for the specific cases where it's needed, not as a parallel memory forensics framework. MF6 (Windows Credentials and Kernel-Level Threats) uses it for rootkit investigation because rootkits specifically target the plugin-accessible structures and leave the debugger-accessible structures as the fallback. MF0.6 — this subsection — introduces the minimum command set for that eventual use.

WinDbg's role — validation, not primary analysis

Three categories of memory forensics question make WinDbg the correct tool. The first is structure validation — the investigator has a Volatility 3 finding that will form a decisive claim in the case report, and wants to confirm the underlying structure by examining it at the debugger level. The use pattern is "I found X with Volatility 3; I validated X with WinDbg; the finding is supported by both methods." Under expert testimony, the ability to say "I did not rely solely on the plugin's interpretation; I examined the EPROCESS structure myself using the Microsoft kernel debugger and confirmed the field values" produces a stronger methodology defence than "I ran the plugin and trusted its output."

The second category is rootkit analysis — specifically, rootkits that manipulate the structures Volatility 3 reads. A rootkit that unlinks its process from the active process list might still be visible in the pool allocator; Volatility 3's windows.psscan catches this class. But a more sophisticated rootkit that also manipulates pool headers, unlinks driver objects, or hooks the kernel callback chains in ways that Volatility 3's plugins don't check may be invisible to plugin-based analysis. At that point, the investigator reaches for WinDbg's structural commands to walk the kernel manually — !poolfind, !process 0 7, !callbacks, u on suspicious function pointers — and finds what the plugin missed. This is covered in depth in MF6 and MF8; for MF0, the key point is that WinDbg is the fallback when a rootkit is suspected.

The third category is structure reverse-engineering — the investigator encounters a memory artefact that doesn't match any known structure, or a novel malware technique that manipulates kernel objects in ways current plugins don't detect. WinDbg's dt command dumps any structure Microsoft has published symbols for, with all fields and types; dt -r recursively dumps nested structures. For a novel technique, the investigator uses dt to understand the structure, confirms their understanding against test cases, and writes the documentation that informs the next Volatility plugin (or their own custom analysis).

Outside these three categories, Volatility 3 is the better tool. If the question is "enumerate the processes," use vol ... windows.pslist. If the question is "extract injected code," use vol ... windows.malfind. If the question is "what's this image's network connections," use vol ... windows.netscan. WinDbg can answer these questions but more slowly and with less structured output. The decision is not "WinDbg or Volatility 3" as if they compete — it's "Volatility 3 for most questions, WinDbg for the three categories above."

Loading a memory image in WinDbg

WinDbg treats a memory image as a crash dump file, even if no crash occurred. The practitioner opens the image via File → Open Crash Dump (or the command-line equivalent windbg -z NE-FIN-014-mem.raw). WinDbg then attempts to identify the OS version and kernel build, and loads symbols from the configured symbol path.

Symbol configuration is a one-time setup. The standard symbol path points to Microsoft's public symbol server with a local cache: SRVC:\Symbolshttps://msdl.microsoft.com/download/symbols. This tells WinDbg to download missing symbols from Microsoft's server and cache them locally. Setting this is File → Symbol File Path in the GUI or .sympath SRVC:\Symbolshttps://msdl.microsoft.com/download/symbols at the command line. After setting it, .reload /f forces symbol resolution for the loaded dump. Without symbols, most WinDbg commands produce unusable output (raw addresses without structure interpretation); with symbols, the commands show field names, function names, and typed values.

Once the image is loaded and symbols resolved, WinDbg presents a command-line interface. Commands fall into three categories: built-in commands (starting with .), meta-commands (starting with !), and expression evaluation. Built-in commands control the debugger itself — .reload, .sympath, .help. Meta-commands run predefined analysis sequences — !process, !pool, !poolfind, !callbacks, !for_each_process. Expression commands evaluate addresses, structures, and memory reads — dt, db, u, ?. For memory forensics, meta-commands and expression commands do most of the work.

The minimum command set

Six commands cover 90% of what memory forensics practitioners need from WinDbg. Each has a dedicated purpose and a standard invocation.

!process 0 0 — lists all processes in the image. The two zeros mean "all processes" and "minimum detail." Roughly equivalent to Volatility 3's windows.pslist. Produces a walkable reference with EPROCESS address, PID, image name, and parent PID.

!process

7 — dumps detailed state for a specific process. The 7 is a detail-level flag (include handles, VAD, thread information). Useful after !process 0 0 has identified the process of interest. Takes longer than windows.cmdline or windows.dlllist because it dumps everything; the trade-off is getting the full structural view in one command.

dt nt!_EPROCESS

— dumps the EPROCESS structure at the given address using the symbol-resolved field definitions. Every field of the structure appears with its name, offset, and value. This is the command that validates a Volatility 3 process finding: the plugin reports a process; dt shows the exact bytes the plugin parsed. Recursive variant dt -r nt!_EPROCESS

also dumps all nested structures (the PEB, the token, the handle table).

dt -l ActiveProcessLinks.Flink nt!_EPROCESS

— walks the active process list from a starting EPROCESS by following the ActiveProcessLinks.Flink pointer. Useful for seeing the linked-list structure directly; also useful for detecting DKOM where the list has been manipulated.

!pool

— reports the pool allocation that contains the given address. Returns the pool tag (four-character identifier like Proc for processes, Thre for threads), the pool header, and the size. Essential for confirming whether an address points into a legitimate allocation or into reclaimed memory.

!poolfind — scans the pool for every allocation matching the given tag. For example, !poolfind Proc finds every process pool allocation in the image, including DKOM-hidden processes that don't appear in the active list. Roughly equivalent to Volatility 3's windows.psscan but operating directly on the pool rather than through a plugin.

Two supporting commands complete the minimum set. u

disassembles memory at the given address — useful for examining suspected kernel hooks (disassemble the hooked function pointer's target and see whether it points to legitimate kernel code or to malicious code injected into the pool). db

L dumps raw bytes at the given address for length bytes — useful for seeing the actual memory content when structured interpretation is unclear or when looking for strings.

Extended context — WinDbg command set beyond the minimum and reference sources

WinDbg has hundreds of commands beyond this minimum set. !thread, !handle, !object, !address, !vad, !drvobj, !callbacks, !teb, !peb — all valuable for specific investigations. The minimum set above is deliberately narrow because the goal at MF0 is to make WinDbg a usable fallback, not to make the practitioner a WinDbg expert. MF6 expands the command set for Windows kernel and rootkit investigation; MF8 covers the Linux equivalent using the crash utility rather than WinDbg (Linux kernel debugging has its own ecosystem).

The official WinDbg reference is Microsoft's documentation at learn.microsoft.com/en-us/windows-hardware/drivers/debugger/. The informal reference most practitioners actually use is Mark Russinovich and David Solomon's "Windows Internals" book series, whose kernel-structure discussions map directly onto the dt commands for each structure they describe.

Worked example — validating a Volatility 3 finding in WinDbg

Consider a worked example. An investigation on NE-FIN-014 has produced a decisive finding: PID 4872 (a suspicious PowerShell) has an RWX memory region at virtual address 0x7ff8a2100000 containing a PE header. Before this finding goes into the CISO report, the investigator validates it in WinDbg — the report will claim the investigator examined the kernel structure directly, not just ran a plugin. The validation takes two WinDbg commands.

0: kd> !process 0 0 powershell.exe
PROCESS ffff8e03a7c42080
    SessionId: 1  Cid: 1308    Peb: 7ffda4230000  ParentCid: 107a
    DirBase: 1ad842001  ObjectTable: ffff9a0287e5c5c0  HandleCount: 412.
    Image: powershell.exe

PROCESS ffff8e03b24f3100
    SessionId: 1  Cid: 1308    Peb: 7ffdb0f20000  ParentCid: 1076
    DirBase: 14ae29001  ObjectTable: ffff9a0288a21600  HandleCount: 527.
    Image: powershell.exe

EPROCESS Address    PID (Cid)    Parent PID    Image           Match?
ffff8e03a7c42080    0x1308 4872  0x107a 4218   powershell.exe  Yes — PID 4872, WINWORD parent 4218
ffff8e03b24f3100    0x1308 4872  0x1076 4214   powershell.exe  No  — different parent, likely unrelated

WinDbg Output — !process 0 0 powershell.exe (filtered to match)

EPROCESS address identified. WinDbg lists two powershell.exe processes in the image. Matching against the Volatility 3 finding (PID 4872, parent PID 4218 = WINWORD.EXE), the relevant EPROCESS is at kernel address ffff8e03a7c42080. Note the address is in kernel space (starts with ffff8...), consistent with EPROCESS living in kernel memory. This address is what the next validation command operates on.

0: kd> dt nt!_EPROCESS ffff8e03a7c42080 UniqueProcessId ImageFileName VadRoot CreateTime
   +0x440 UniqueProcessId  : 0x00000000`00001308 Void
   +0x5a8 ImageFileName    : [15]  "powershell.exe"
   +0x7d8 VadRoot          : _RTL_AVL_TREE
   +0x2d0 CreateTime       : _LARGE_INTEGER 0x01DC4F7E`C3A71B40

Field             Offset    Value                              Volatility 3 agreement?
UniqueProcessId   +0x440    0x1308 (4872)                      Matches plugin output
ImageFileName     +0x5a8    "powershell.exe"                   Matches plugin output
VadRoot           +0x7d8    _RTL_AVL_TREE (AVL tree of VADs)   Root for VAD walk that malfind performed
CreateTime        +0x2d0    2026-03-15 08:42:47 UTC (decoded)  Matches plugin output exactly

WinDbg Output — dt nt!_EPROCESS (selected fields)

Validation complete. The EPROCESS structure at ffff8e03a7c42080 shows PID 4872, image powershell.exe, and CreateTime matching the Volatility 3 finding. The VadRoot field points to the AVL tree that windows.malfind walked to find the RWX region. The investigator can now state in the report: "The process finding was verified independently using the Microsoft kernel debugger WinDbg, which confirmed the EPROCESS structure at kernel address ffff8e03a7c42080 contains PID 4872, image name powershell.exe, and creation time 2026-03-15 08:42:47 UTC — consistent with the Volatility 3 plugin output." Under cross-examination, that language represents two independent validations (plugin and debugger) on the same structure, both agreeing. The finding survives the challenge.

Two commands, five minutes, transforms a plugin-dependent finding into a debugger-validated finding. For routine investigations, this validation isn't needed — Volatility 3's output is sufficient for internal reports. For investigations reaching legal proceedings, expert testimony, or high-stakes regulatory review, the validation changes the defensibility of the report.

Guided Procedure — Validate a Volatility 3 finding in WinDbg

The WinDbg-validates-Volatility workflow runs four steps: open the image in WinDbg, locate the EPROCESS for the PID of interest, walk the structure's fields, record the output. This procedure takes around five minutes on a finding you've already analysed in Volatility 3. Paper-based: the synthetic output below represents the four commands as they'd run against the worked example above (PID 4872 on NE-FIN-014).

Step 1 — Open the memory image in WinDbg. Launch WinDbg, `File → Open Crash Dump` (WinDbg treats raw memory images as crash dumps for analysis purposes), select the image file. Set the symbol path with .sympath SRV*C:\Symbols*https://msdl.microsoft.com/download/symbols (or your air-gapped symbol cache path), then .reload /f to force symbol load for the target build.

Expected output: Status bar shows "Debuggee is running" after open; `.reload /f` completes with a line like "Loaded 214 symbols". Prompt changes to `0: kd>`.

If it fails: "Unable to load image" usually means the symbol path isn't set. Re-run `.sympath` with the correct URL; confirm internet access or pre-staged cache. "No export dump in image" means the file isn't a valid memory image — verify acquisition hash.

Step 2 — Locate the EPROCESS by image name. Run !process 0 0 powershell.exe (substitute your target process's image name). The command walks the active process list and prints every matching EPROCESS with its kernel address, PID, parent PID, and image name.

Expected output: One or more PROCESS entries, each with a kernel address (starts ffff8...), Cid (the PID in hex), ParentCid, and image name. For PID 4872 / WINWORD parent 4218, the matching entry's kernel address is what you need for Step 3 — typically something like ffff8e03a7c42080.

If it fails: "No matching processes found" — the image name was mistyped, or the process had terminated before acquisition (WinDbg's active-list walk misses terminated processes; use Volatility 3's `windows.psscan` to confirm, then use the EPROCESS address from psscan as the Step 3 input).

Step 3 — Walk the EPROCESS structure. With the kernel address from Step 2, run dt nt!_EPROCESS <address> UniqueProcessId ImageFileName VadRoot CreateTime. This dumps the named fields from the EPROCESS structure at that address, with each field's offset, type, and value.

Expected output: Each field with `+0xNNN` offset, type name, and value. `UniqueProcessId` matches your Volatility 3 PID. `ImageFileName` matches the process name. `VadRoot` is the AVL tree root that `windows.malfind` walked. `CreateTime` decodes to the timestamp Volatility 3 reported (WinDbg shows the raw FILETIME value; use `.formats ` to decode).

If it fails: Garbage values (impossible PIDs, zero timestamps, empty strings) indicate the address from Step 2 isn't an EPROCESS — usually a typo. Re-run Step 2, copy the address carefully. Field names not recognised ("no type information") means symbols didn't load; re-run `.reload /f`.

Step 4 — Record the output for the report. Copy the exact WinDbg commands and output into the case file. The report's methodology appendix will cite this record: "WinDbg validation performed against memory image [hash]. Commands executed: [list]. EPROCESS at kernel address [address] contained PID [value], image name [value], create time [value]. Values consistent with Volatility 3 plugin output."

Expected output: Case file entry containing the two WinDbg commands, their output, and a brief prose summary of the validation. This entry is what opposing counsel reads if the finding is challenged.

If it fails: Not a failure mode — this is the documentation step. The discipline is contemporaneous recording; don't reconstruct the validation from memory after the investigation closes. If you didn't record at Step 4, the validation didn't happen for defensibility purposes.

Four commands, four records. The report that cites both Volatility 3 and WinDbg has two independent tool chains agreeing on the same structure — the exact pattern that survives adversarial review.

Decision Point

The situation. Volatility 3 has reported an EPROCESS with a reflectively-loaded PE at a specific VAD region. Your team lead asks the question you're going to face repeatedly in this career: "do we need WinDbg validation on this, or is Volatility 3's output enough?"

The choice. Accept Volatility 3's output as sufficient, or spend five minutes in WinDbg to produce independent structural verification before the finding goes into the report.

The correct call. The answer depends on one variable: where the report ends. For internal consumption — the SOC's running incident log, the post-incident review document, the knowledge-base entry — Volatility 3's output is enough; the methodology record states "Volatility 3 version X.Y.Z reported the following" and internal readers accept that. For any external-facing report with adversarial potential — employment tribunal, cyber-insurance claim, DPA/GDPR regulatory review, criminal proceedings — the plugin-only version is forensically thin. The opposing expert's opening argument writes itself: "the conclusion rests on a third-party plugin's output; the investigator did not independently verify the underlying kernel structures." WinDbg validation closes that opening.

The operational lesson. Make the decision at phase 4 analysis, not at phase 6 conclusion. The five-minute validation cost is the insurance premium for adversarial review, and the mistake practitioners make is deciding after the report is written — by then the investigation is closed and revisiting the image requires re-engagement. When a finding looks like it might go external, validate it now. Five minutes of WinDbg when you have the image open beats a scramble to re-validate under time pressure later.

Compliance Myth: "WinDbg is for kernel developers — DFIR practitioners don't need it"

The myth. WinDbg is a kernel debugger used by Windows kernel developers, driver developers, and exploit developers. It's outside the DFIR practitioner's toolset. Modern memory forensics tools (Volatility 3, MemProcFS) cover everything a DFIR practitioner needs. Learning WinDbg is overhead that doesn't pay back.

The reality. WinDbg is a kernel debugger. It is also the only tool that gives DFIR practitioners direct access to kernel structure definitions, Microsoft-authoritative symbol resolution, and the structural-walking commands that rootkits cannot hide from as reliably as they hide from plugin-based enumeration.

For 80% of DFIR work, you will not need WinDbg — Volatility 3 and MemProcFS cover the standard cases. For the 20% involving rootkit investigation, expert-witness-grade validation, or novel techniques that no plugin yet handles, WinDbg is the tool. The practitioner who dismisses it because it's "for kernel developers" is arguing that DFIR never hits rootkits, never testifies, and never encounters novel techniques — which is increasingly untrue in 2026 as attacker tradecraft moves into kernel space via eBPF, signed driver abuse, and kernel-level persistence.

The minimum command set in this subsection is six commands. Learning it takes an afternoon. The return is the ability to produce validated findings on the cases where validation matters.

MF0.7 — Evidence Reliability and Confidence. Knowing which tool produced a finding is half the defensibility picture. The other half is the tier you assign to the finding and the language you use to report it. MF0.7 establishes the three-tier confidence hierarchy (high / medium / low), the four reliability modifiers that determine tier assignment, and the reporting-language mapping from tier to claim strength.

Try it — Load a memory image in WinDbg and validate one Volatility 3 finding

Setup. Install the Debugging Tools for Windows (standalone package or via the Windows SDK's Debugging Tools optional component). Pick a Windows memory image you have already analysed with Volatility 3 — any image where you can identify one specific process to validate.

Task. Open WinDbg. Set the symbol path: .sympath SRVC:\Symbolshttps://msdl.microsoft.com/download/symbols, then .reload /f. Open the memory image via File → Open Crash Dump (or launch from command line with windbg -z image.raw). Wait for the initial symbol load. In a parallel window, run vol -f image.raw windows.pslist | head -10, pick any PID, and note its Offset(V) virtual address. In WinDbg, run !process 7 using that virtual address (not the PID). Follow with dt nt!_EPROCESS to dump the full structure.

Expected result. !process prints detailed process information — image name, PID, parent PID, threads, handles — and the image name and PID match what Volatility 3 reported. dt nt!_EPROCESS prints the structure fields with offsets and values; UniqueProcessId matches Volatility's PID, ImageFileName matches Volatility's image name. Two independent tool chains have agreed on the same kernel structure.

If your result doesn't match. If the initial symbol load hangs or .reload /f reports "no symbols loaded," internet access is blocked or the symbol server is unreachable — pre-stage the C:\Symbols cache on a connected workstation first and copy across. If !process reports "no matching processes found," the offset is wrong (use Offset(V) not PID). If field values look like garbage in dt nt!_EPROCESS, symbols didn't resolve for the exact Windows build — re-run .reload /f and confirm the build version matches what Volatility reported in windows.info.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. State the three categories of memory-forensics question where WinDbg is the correct tool (as opposed to Volatility 3 or MemProcFS). (§ WinDbg's role)

2. Given a PID and image name, name the four-step workflow that validates a Volatility 3 finding in WinDbg and record the output for the case file. (§ Worked example + Guided Procedure)

3. Apply the decision rule: your investigation's finding of credential theft is going in an internal SOC report that won't leave the team. Does the finding need WinDbg validation? Justify the answer. (§ Decision Point)

Operational Artifact — WinDbg Memory Forensics Quick Reference

Use this reference when a WinDbg session is the right tool for a memory forensics question. It covers the one-time setup, image loading, and the minimum command set for validation work.

Initial setup, one-time. Set the symbol path to SRVC:\Symbolshttps://msdl.microsoft.com/download/symbols via File → Symbol File Path or the .sympath command. Ensure the local cache folder exists and is writable. For air-gapped workstations, pre-stage symbols by running a debug session on a connected workstation first, then copy the cache folder across.

Loading a memory image. Use File → Open Crash Dump in the GUI, or windbg -z on the command line. Run .reload /f after load to force symbol resolution.

Minimum command set for memory forensics — process enumeration. !process 0 0 lists all processes in the active list (equivalent to Volatility 3's windows.pslist). !process 0 0 filters by image name. !process 7 produces a detailed dump for a specific process (equivalent to windows.cmdline + dlllist + handles combined).

Minimum command set — structure inspection. dt nt!_EPROCESS dumps the EPROCESS structure with field-level detail. dt -r nt!_EPROCESS performs a recursive dump including nested structures.

Minimum command set — pool scanning. !poolfind scans the pool for allocations by tag (Proc, Thre, and similar; equivalent to windows.psscan). !pool identifies which pool allocation contains a given address.

Minimum command set — memory and kernel inspection. u disassembles memory at an address (for examining hook targets). db L produces a raw hex dump of the requested length. !callbacks lists kernel callback registrations (used in rootkit investigation, covered in depth in MF6).

Decision rule — when to use WinDbg. WinDbg is the right tool when the question falls into structure validation, rootkit analysis, or novel-technique reverse engineering. For all other memory forensics questions, Volatility 3 is faster and produces better-documented output.

Documentation discipline. When WinDbg is used for validation, record the specific commands and their output in the case file. The investigator's claim of independent validation requires the audit trail showing that validation occurred.

Extended reference — symbol-load failures, DKOM-aware enumeration, and WinDbg scripting

Symbol-resolution errors at image load. If every command shows Unable to load image... or symbol-resolution errors, the symbol path isn't configured. Run .sympath SRVC:\Symbolshttps://msdl.microsoft.com/download/symbols (adjust the local cache path as needed), then .reload /f. For air-gapped workstations, pre-stage symbols on a connected system first — run a dt nt!_EPROCESS command there to trigger symbol download, then copy the C:\Symbols folder to the analysis workstation.

Slow initial load. WinDbg pre-builds indexes over the image and downloads symbols on first open; larger images take several minutes before becoming responsive. Subsequent loads of the same image are much faster. For iterative analysis, leave WinDbg open with the image loaded rather than closing and reopening between commands.

DKOM-aware process enumeration. !process 0 0 walks the active process list, which is vulnerable to DKOM manipulation the same way windows.pslist is. For pool-based enumeration that catches DKOM-hidden processes, use !poolfind Proc instead. If the rootkit is sophisticated enough to also manipulate pool headers, neither method finds the hidden processes — at that point, comparing the structural differences between what !poolfind reports and what thread-scanning techniques reveal (covered in MF4/MF6) is the fallback.

Debugging Tools for Windows without the full SDK. The standalone "Debugging Tools for Windows" package — installable from Microsoft's site or as part of the Windows SDK's optional components — includes WinDbg with everything needed for post-mortem memory analysis. The full Windows SDK is only required if you're also building kernel drivers.

Scripting WinDbg. Execute a file of commands with $$>< scriptfile, or pipe commands from stdin. WinDbg also supports JavaScript-based scripting via the dx command system for more complex automation. For memory forensics, command-file scripting is usually enough — maintain a file of standard validation commands and apply it uniformly across cases. Volatility 3's scripting story is still more mature for repeated structured analysis, which is one reason WinDbg remains the fallback rather than the primary tool.

An investigator is handling an insider-threat case (an NE engineer suspected of credential theft, investigation heading to HR/legal proceedings). The investigator has extracted cached NTLM hashes from LSASS using Volatility 3's windows.hashdump plugin. The hashes match credentials that the engineer used to access systems they were not authorised for — this is a decisive finding. The engagement team is planning how to present the finding. Which approach is most appropriate?

Present the Volatility 3 output directly in the report. Volatility 3 is a widely-used open-source forensic tool; its output is automatically defensible. Additional validation with WinDbg is unnecessary overhead that would delay the report.

Validate the finding with WinDbg before presenting it. Load the memory image in WinDbg, locate the LSASS EPROCESS (!process 0 0 lsass.exe), dump the relevant structures (dt nt!_EPROCESS <addr> and examine the structures the hashes were extracted from), and record the WinDbg commands and output in the case file alongside the Volatility 3 output. The report can then state that the finding was verified through two independent methods — the Volatility 3 plugin and direct examination via the Microsoft kernel debugger. For an investigation heading to HR/legal proceedings, this validation changes the finding's defensibility under adversarial review, matching exactly one of the three categories where WinDbg is the correct tool (structure validation of decisive findings expected to face scrutiny).

Replace Volatility 3 with WinDbg and redo the entire credential extraction in the debugger. WinDbg is the authoritative tool for kernel-level memory analysis; using both is redundant. The report should present only the WinDbg output.

Present the finding with the Volatility 3 output and include a disclaimer that the credential extraction was performed with an open-source tool that has not been independently verified in this investigation. This gives opposing counsel transparency about the methodology's limitations.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →