Sign In
In this module

MF1.9 Building the Evidence Library — Clean Baselines

6 hours · Module 1 · Free
What you already know

From MF1.1-1.8 you know how to capture, verify, assess, and document memory images from Windows and Linux systems. You've captured test images along the way. This sub is where you produce the two images that matter for the rest of the course: the clean Windows baseline and the clean Linux baseline. Every paid module's attack-capture-analyse loop compares the compromised image against these baselines to isolate what the attack changed.

Operational Objective

The paid modules in this course all follow the same loop: run a scripted attack from Kali against Target-Win or Target-Linux, capture memory before and after the attack, then analyse what the attack changed. The "what changed" question only has an answer if you know what the baseline looked like before the attack ran. That's what this sub produces.

A clean baseline isn't just "a capture from a VM with no malware." It's a captured, verified, smear-assessed, documented image from a VM in a known-good state — Windows updated, no unusual processes, no pending reboots, no lingering artifacts from previous exercises. The baseline is your forensic reference point. If the baseline is sloppy, every comparison against it inherits the sloppiness.

This sub walks you through producing both baselines to the standard MF1.6 established: full acquisition records, four structural checks, smear assessment, and a snapshot of the VM at the baseline state so you can revert to it before each module's attack.

Deliverable: Two documented baseline memory images (Target-Win and Target-Linux), each with a completed acquisition record, structural verification, and smear assessment. Two VM snapshots (one per target) at the clean-baseline state for revert-before-attack in MF2 onward. These four artifacts — two images and two snapshots — are the foundation every subsequent module depends on.

Estimated completion: 60 minutes (includes both captures and documentation)
BASELINE WORKFLOW — CAPTURE + SNAPSHOT + VERIFY CLEAN STATE Updated, idle, no artifacts SNAPSHOT VM Revert point for MF2+ CAPTURE + HASH Hypervisor suspend method VERIFY 4 checks + smear RESULT: 2 images + 2 snapshots + 2 acquisition records These four artifacts are the foundation for MF2-MF9. Every attack module starts with 'revert to baseline snapshot.'
Figure 1.9.1 — The baseline workflow produces paired artifacts: a memory image for analysis reference and a VM snapshot for state reversion. Both are created from the same clean state.

What makes a clean baseline state

This section defines "clean" precisely. A vague baseline produces vague comparisons.

A clean baseline state means the VM has been booted, has completed all startup tasks, has settled into an idle state, and has no artifacts from previous testing or course exercises. Specifically:

The operating system is fully updated. Windows Update has been run and no pending restarts exist. On Target-Linux, apt update && apt upgrade has completed. Pending updates add processes, services, and scheduled tasks that may or may not be present in later captures — which makes comparison noisy.

No user applications are running beyond the default session. On Target-Win, the desktop is logged in (you need a user session for the process tree to be complete) but no additional applications are open. On Target-Linux, the SSH session you used for maintenance is closed; the system is running its default service set and nothing else.

No artifacts from previous exercises remain. If you ran WinPmem earlier in the module, the WinPmem executable and output files are deleted. If you compiled LiME on Target-Linux, the build artifacts and kernel module file are deleted. The evidence directory is empty. The pagefile contains whatever the OS generated during normal operation, not remnants of your testing.

The system has been idle for at least two minutes after boot and login. Immediately after login, Windows runs a burst of scheduled tasks, Defender scans, and telemetry uploads. This burst lasts 1-2 minutes on a clean VM. Capturing during the burst produces a baseline with extra transient processes that won't appear in later captures (because the later captures happen after the burst completes). Wait for the burst to settle before capturing.

Producing the Windows baseline

This section is the operational procedure for Target-Win. By the end you have a verified .vmem file and a matching VM snapshot.

Step 1 — Prepare the clean state. Boot Target-Win. Log in. Open Task Manager and wait until CPU usage drops below 5% and disk activity stops (the post-login burst is over). Close Task Manager. Delete any files from previous exercises and verify no acquisition tools remain:

del /s /q C:\evidence\*
dir C:\winpmem*

The dir command should return "File Not Found" — no WinPmem binaries left on the VM.

Step 2 — Create the VM snapshot. In VMware Workstation: VM → Snapshot → Take Snapshot. Name it "MF1-clean-baseline" with a description "Clean Windows 11 baseline state for MF course. No malware, no testing artifacts, system idle post-login. Captured [date]." This snapshot is the revert point for every subsequent module.

Step 3 — Capture memory via hypervisor suspension. Follow the MF1.4 procedure: suspend the VM, copy the .vmem file to your evidence directory as target-win-clean-baseline.vmem, hash it immediately, resume the VM.

Step 4 — Complete the acquisition record. Fill in the MF1.6 template: operator (you), tool (VMware Workstation suspend), method rationale ("hypervisor suspension selected for maximum fidelity on baseline capture — zero smear, zero guest footprint"), target (Target-Win hostname, IP, Windows build), SHA-256 hash.

Step 5 — Run structural checks and smear assessment. The four structural checks from MF1.6 (size, profile, kernel address, process count) plus the three smear checks from MF1.7 (pslist/psscan cross-validation, thread-state consistency, timestamp span). Record all results in the acquisition record. A hypervisor-captured baseline should show zero smear indicators — if it shows any, the VM wasn't fully quiesced before suspension.

Producing the Linux baseline

Same procedure, different VM. By the end you have a verified LiME image and a matching VM snapshot.

Step 1 — Prepare the clean state. Boot Target-Linux. SSH in and run sudo apt update && sudo apt upgrade -y. Wait for the upgrade to complete. Delete any LiME build artifacts and evidence directory contents:

rm -rf ~/LiME
sudo rm -rf /evidence/*

Step 2 — Create the VM snapshot. Same as Windows: VM → Snapshot → Take Snapshot, named "MF1-clean-baseline-linux" with a description including the date.

Step 3 — Capture memory. Two options: hypervisor suspension (MF1.4 — preferred for zero smear) or LiME (MF1.3 — if you want to practice the LiME procedure). If using hypervisor suspension, the resulting .vmem file needs to be paired with a Volatility 3 Linux ISF for the target kernel. If using LiME, SSH back in and run the MF1.3 procedure.

Step 4 — Complete the acquisition record. Same template as Windows. Note the kernel version (uname -r output) — this is the value Volatility 3 needs to match against its symbol pack.

Step 5 — Run structural checks. Size check (file size matches RAM). Profile identification (vol -f image linux.banner). Process list sanity (vol -f image linux.pslist | wc -l — a clean Ubuntu 22.04 server runs 60-120 processes). Record all results.

Extended context — baseline drift and when to re-capture

Baselines drift over time. If you capture the Windows baseline today and don't start MF2 for three weeks, Windows Update will have changed the running kernel build, Defender definitions will have updated, and the process tree may include new services from the updates. The baseline image from three weeks ago no longer matches the current VM state — the comparison in MF2 will show "changes" that are just Windows updates, not attack artifacts.

The solution is the snapshot. Before each attack module, revert Target-Win (or Target-Linux) to the baseline snapshot. The reverted VM is in exactly the state it was in when you captured the baseline image. The comparison between the baseline image and the attack-modified capture is clean because both are from the same VM state.

If you can't revert to the snapshot for some reason (snapshot corrupted, VM rebuilt), re-capture the baseline from the current VM state and use the new baseline for subsequent modules. The old baseline images are still valid for their own analysis but shouldn't be compared against captures from a different VM state.

Guided Procedure — Produce both baseline images and document them

This procedure produces both baselines in one session. By the end you have four artifacts: two images and two snapshots.

Step 1 — Windows baseline. Boot Target-Win, log in, wait for idle, clean previous artifacts. Snapshot. Suspend, copy `.vmem`, hash. Resume. Run `windows.info` and `windows.pslist | wc -l`. Record everything in the acquisition record template.
Expected output: A `.vmem` file matching Target-Win's RAM size. `windows.info` shows valid Windows 11 profile. Process count is 80-150. Hash recorded. Acquisition record complete.
If it fails: Profile identification fails → Volatility 3 symbol pack needs updating. Process count under 50 → the VM wasn't fully booted when you suspended. Resume, wait for full boot, re-snapshot, re-capture.
Step 2 — Linux baseline. Boot Target-Linux, SSH in, update, clean artifacts, close SSH. Snapshot. Capture via hypervisor suspend or LiME. Hash. Run `linux.banner` and `linux.pslist | wc -l`. Record in the acquisition record template.
Expected output: A `.vmem` or `.lime` file matching Target-Linux's RAM size. `linux.banner` shows the Ubuntu 22.04 kernel version. Process count is 60-120. Hash recorded. Acquisition record complete.
If it fails: `linux.banner` fails → ISF missing for the kernel version. Generate with `dwarf2json` per MF1.3's af-extended reference. Process count under 30 → system wasn't fully booted. SSH in, check `systemctl list-units`, wait for all services to start, re-capture.
Step 3 — Verify both baselines are analysis-ready. Run one analysis command against each baseline to confirm end-to-end pipeline: `vol -f target-win-clean-baseline.vmem windows.pslist | head -5` and `vol -f target-linux-clean-baseline.lime linux.pslist | head -5`. Both should return process listings without errors.
Expected output: Both commands return tabular process listings. The Windows listing starts with System (PID 4). The Linux listing starts with systemd (PID 1) or a similar init process. No errors, no "unable to resolve" messages.
If it fails: Errors on Windows → re-run `windows.info` and check the symbol resolution. Errors on Linux → ISF issue (see MF1.3 af-extended). If one baseline works and the other doesn't, the problem is specific to that OS's symbol configuration, not a general Volatility 3 issue.
Decision Point

The situation. You're about to start MF2 (Process Injection). You took the baselines two weeks ago. Since then, you've been experimenting with Target-Win — installed a few tools, ran some test captures, browsed the web from the VM. The VM is no longer in a clean state. You have the MF1-clean-baseline snapshot available to revert to.

The choice. Start MF2 with the current (dirty) VM state and compare against the two-week-old baseline image. Or revert to the baseline snapshot first, which wipes your experimental changes but puts the VM back in the exact state the baseline image represents.

The correct call. Revert to the baseline snapshot. The entire point of the baseline is that the comparison is clean — the only difference between the baseline image and the attack-modified capture is the attack. If the VM has drifted since the baseline was captured, the comparison shows attack changes plus two weeks of experimental drift, and you can't tell which differences are which. Revert, confirm the VM matches the baseline state, then run the attack. Your experimental tools and test captures are gone, but they were temporary anyway — the baseline snapshot is the anchor.

The operational lesson. The snapshot is not a backup — it's a forensic reference point. Treat it the way you'd treat an evidence image: don't modify the VM state it represents. If you need to experiment between modules, do it after capturing the baseline snapshot, and revert before starting the next module's attack.

Compliance Myth: "Any capture of a clean system works as a baseline"

The myth. A baseline is just a capture of the VM before the attack runs. Boot the VM, capture immediately, done. The baseline doesn't need special preparation because it's only a reference point, not evidence itself.

The reality. A baseline captured from an unprepared VM state produces noisy comparisons that waste investigation time. A VM captured immediately after boot (before the post-login burst settles) has 20-30 transient processes that won't appear in later captures — every one of those "missing" processes shows up as a false difference in MF2's comparison. A VM with leftover artifacts from previous testing has files, registry keys, and process remnants that confuse the comparison with attack-generated artifacts.

The baseline needs the same preparation discipline as any other forensic capture: known-good state, settled system, no artifacts from other activities, documented and verified. The two minutes of preparation save hours of analysis noise in subsequent modules. Every false positive from a sloppy baseline is time subtracted from actual investigation work.

Next

MF1.10 — Interactive Lab: Baseline Capture and Analysis. The module's lab exercise brings everything together: capture both VMs, run foundational Volatility 3 commands against both baselines, and document the results as the reference state for the rest of the course.

Try it — Produce both baseline images and self-validate against MF1.6 acquisition record standard

Setup. Both VMs (Target-Win and Target-Linux) in clean states. VMware Workstation (or VirtualBox) with snapshot capability. Your analysis workstation with Volatility 3 installed.

Task. Execute the full Guided Procedure: produce both baselines, snapshot both VMs, run all structural checks and smear assessment on both images, complete acquisition records for both. Then self-validate: does each acquisition record contain every field from MF1.6's template? Are the four structural checks documented? Is the smear assessment recorded?

Expected result. Two completed acquisition records with all fields populated. Two memory images that pass all structural checks. Two VM snapshots named with the date and "clean-baseline" label. Both baselines parse in Volatility 3 without errors. The documents are the reusable templates for every capture you produce for the rest of the course and in production.

If your result doesn't match. If either baseline fails a structural check, re-capture from a fully settled VM state. If the acquisition record is missing fields, re-read MF1.6's template section and fill in the gaps. If you can't produce a Linux baseline because Volatility 3 can't parse the image, the ISF generation step from MF1.3 is the fix — generate the ISF before re-attempting.

Checkpoint — before moving on

You should be able to do the following without referring back to this sub. If you can't, the sections to re-read are noted.

1. State the four specific conditions that define a "clean baseline state" and explain why capturing immediately after login (before the post-login burst settles) produces a noisy baseline. (§ What makes a clean baseline state)
2. Name the four artifacts this sub produces (two images + two snapshots) and state what each one is used for in MF2 onward. (§ Objective + Guided Procedure)
3. Explain why you revert to the baseline snapshot before each module's attack rather than comparing against the baseline image from a drifted VM state. (§ Decision Point)
Operational Artifact — Baseline Readiness Checklist

Run this checklist before starting any paid module (MF2-MF9). It confirms the lab is in baseline state and ready for the module's attack.

VM state. Target-Win reverted to MF1-clean-baseline snapshot. Target-Linux reverted to MF1-clean-baseline-linux snapshot. Both VMs booted, logged in (Windows) or running (Linux), and settled (CPU idle, no pending updates).

Baseline images available. target-win-clean-baseline.vmem on the analysis workstation with recorded SHA-256 hash. target-linux-clean-baseline.lime (or .vmem) on the analysis workstation with recorded SHA-256 hash. Both verified via MF1.6 structural checks.

Analysis environment ready. Volatility 3 installed and updated (pip install --upgrade volatility3). ISFs available for both target OS versions. vol -f windows.info and vol -f linux.banner both return valid output.

Evidence directory prepared. /evidence/ (or C:\evidence\) empty and ready to receive the module's capture files. Acquisition record template copied and pre-filled with date and module reference.

Extended reference — baseline image management and long-term storage

Baseline image naming convention. target-win-clean-baseline-YYYYMMDD.vmem and target-linux-clean-baseline-YYYYMMDD.lime. The date suffix lets you maintain multiple baselines if you rebuild the VMs — the most recent baseline is the active one; older baselines are retained for reference but not used for new-module comparisons.

Storage requirements. Two baseline images: approximately 6 GB total (4 GB Windows + 2 GB Linux). Each paid module adds one or two attack-modified captures. By the end of MF9, the evidence library is approximately 30-40 GB. Compressible to roughly 40% of raw size with gzip or zstd. Store on a drive with at least 100 GB free to accommodate the full course evidence library without space pressure.

When to re-baseline. Re-capture the baseline if: you rebuild either VM (new OS install, different Windows build), you can't revert to the snapshot (snapshot corrupted or deleted), or Volatility 3's symbol pack updates in a way that changes how the baseline parses (rare but possible). Each re-baseline requires a new snapshot and a new acquisition record. Old baselines and records are retained for traceability but marked "superseded."

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've set up the lab and captured your first clean baselines.

MF0 built the three-VM lab and established the memory forensics landscape. MF1 taught acquisition with WinPmem and LiME, integrity verification, and chain of custody. From here, you execute attacks and investigate what they leave behind.

  • 8 attack modules (MF2–MF9) — process injection, credential theft, fileless malware, persistence, kernel drivers, Linux rootkits, timeline construction, and a multi-stage capstone
  • You run every attack yourself — from Kali against your target VMs, then capture memory and investigate your own attack's artifacts with Volatility 3
  • MF9 Capstone — multi-stage chain (initial access → privilege escalation → credential theft → persistence → data staging), three checkpoint captures, complete investigation report
  • The lab pack — PoC kernel driver and LKM rootkit source code, setup scripts, 21 exercises, 7 verification scripts, investigation report templates
  • Cross-platform coverage — Windows and Linux memory analysis in one course, with the timeline module integrating evidence from both
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →