Sign In

TR1.5 Memory Acquisition: Tools, Techniques, and Verification

· Module 1 · Free
Operational Objective
The Memory Imperative: Memory is the single most valuable volatile artifact. It contains: every running process (including fileless malware that exists only in memory), every active network connection with its owning process, encryption keys for encrypted disks and communications, the attacker's decoded command buffers and C2 configuration, cached credentials (NTLM hashes, Kerberos tickets, SSH keys in agent memory), and the kernel's own state (loaded modules, system call table, process scheduler data). A memory dump captured within the first 15 minutes of triage preserves ALL of this. A memory dump captured after a reboot preserves NONE of it. This subsection teaches the exact tools, procedures, and verification steps for memory acquisition across all three environments.
Deliverable: Tool selection decision tree (WinPMEM vs AVML vs LiME), step-by-step acquisition procedures, output verification methodology, ISF/profile generation for Volatility3, and cloud-specific acquisition techniques.
Estimated completion: 35 minutes
MEMORY ACQUISITION — TOOL SELECTION PER ENVIRONMENTWINDOWSPrimary: WinPMEM (single .exe)Alt: Magnet RAM Capture, DumpItProfile: Volatility3 Windows ISF (auto-detected)LINUXPrimary: AVML (single static binary)Alt: LiME (kernel module, higher quality)Profile: ISF via dwarf2json or btf2jsonCLOUD / VIRTUALHyper-V: checkpoint + exportVMware: snapshot + .vmem fileAWS: no native RAM capture (use AVML)

Figure TR1.5 — Memory acquisition tool selection. Each environment has a primary tool (lowest friction, fewest dependencies) and alternatives. Cloud instances require guest-level tools (AVML/WinPMEM) because hypervisor-level capture is not available on public cloud.

Windows memory acquisition with WinPMEM

Six-step method — Windows memory capture:

What to look for: A complete copy of the system’s physical RAM containing all running processes, their memory contents, loaded DLLs, kernel data structures, and network state.

Where to find it: Physical RAM, accessible via a kernel driver that WinPMEM loads temporarily.

How to extract it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

# WinPMEM — pre-staged on triage USB at E:\tools\
# Run from elevated PowerShell (Administrator)
E:\tools\winpmem_mini_x64.exe E:\IR\%COMPUTERNAME%_memory.raw

# Expected output:
# WinPmem 4.0
# Loading driver...
# Driver loaded successfully.
# Acquiring memory: 16.0 GiB (17179869184 bytes)
# Progress: 100%
# Memory acquired successfully: E:\IR\DESKTOP-NGE042_memory.raw

How to interpret and verify the output:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

# Verify dump size matches physical RAM
$dump = Get-Item "E:\IR\DESKTOP-NGE042_memory.raw"
$ram = (Get-CimInstance Win32_PhysicalMemory | Measure-Object -Property Capacity -Sum).Sum
Write-Host "Dump: $([math]::Round($dump.Length/1GB,2)) GB, RAM: $([math]::Round($ram/1GB,2)) GB"
# Acceptable: dump size within 90-100% of physical RAM

# Hash the dump for chain of custody
$hash = Get-FileHash "E:\IR\DESKTOP-NGE042_memory.raw" -Algorithm SHA256
$hash.Hash | Out-File "E:\IR\DESKTOP-NGE042_memory_hash.txt"
Write-Host "SHA256: $($hash.Hash)"

Critical: write the dump to EXTERNAL media (USB, network share), NOT the target system’s disk. Writing a 16 GB dump to the target’s C: drive overwrites 16 GB of unallocated disk space — potentially destroying deleted files that the investigation team could have recovered. The USB drive should be formatted with NTFS (FAT32 has a 4 GB file size limit — insufficient for memory dumps).

What WinPMEM captures that volatile triage commands cannot:

The ps and tasklist commands show the CURRENT process list at the moment they execute. A memory dump captures the process list PLUS: the full memory contents of each process (code, data, heap), the process environment block (PEB) containing loaded DLLs and environment variables, the kernel’s EPROCESS structure (including hidden processes that rootkits remove from the active process list), VAD (Virtual Address Descriptor) trees showing all memory regions (including injected code), and open handles (files, registry keys, network sockets, mutexes).

Volatility3 plugins extract this data from the dump: windows.pslist (process list), windows.pstree (parent-child relationships), windows.netscan (network connections with owning process), windows.malfind (injected code detection), windows.handles (open handles per process), windows.cmdline (full command lines), windows.dlllist (loaded DLLs per process), windows.hashdump (cached NTLM hashes from the SAM), and windows.lsadump (LSA secrets including service account passwords).

Linux memory acquisition with AVML and LiME

AVML (primary tool). Single static binary, no kernel module, no compilation required. Reads from /dev/crash or /proc/kcore.

1
2
3
4
5
6

# Pre-staged on triage USB
/mnt/usb/tools/avml /mnt/usb/IR/$(hostname)_memory.lime
# Verify
ls -lh /mnt/usb/IR/$(hostname)_memory.lime
free -h | grep Mem  # Compare sizes
sha256sum /mnt/usb/IR/$(hostname)_memory.lime > /mnt/usb/IR/$(hostname)_memory_hash.txt

LiME (fallback — higher quality, more complex). Kernel module that reads physical memory directly. Requires a pre-compiled .ko file matching the EXACT running kernel version.

1
2
3
4
5

# Check if pre-compiled module exists for this kernel
ls /mnt/usb/tools/lime/lime-$(uname -r).ko
# If yes: load and acquire
insmod /mnt/usb/tools/lime/lime-$(uname -r).ko "path=/mnt/usb/IR/$(hostname)_lime.raw format=raw"
# LiME writes the dump and auto-unloads the module

AVML vs LiME decision:

Use AVML when: rapid acquisition is needed (no preparation required), the kernel is 4.x+ (AVML requires /dev/crash or /proc/kcore), and you do not have a pre-compiled LiME module for the target kernel.

Use LiME when: AVML fails (restricted /dev/crash on hardened systems), you need the highest dump quality (LiME reads physical memory directly through the kernel, potentially capturing more consistent data), or the target is an older kernel where AVML’s /dev/crash reading is unreliable.

Pre-compiling LiME modules for your fleet: Maintain a directory of pre-compiled LiME .ko files for every kernel version running in your environment. After every kernel update: compile a new LiME module on a clean system with the matching kernel headers and add it to the triage USB. This 5-minute preparation step eliminates the “I don’t have a LiME module for this kernel” problem during incidents.

1
2
3
4
5
6

# On a BUILD system (NOT the compromised server):
apt install linux-headers-$(uname -r) build-essential git
git clone https://github.com/504ensicsLabs/LiME
cd LiME/src && make
# Output: lime-$(uname -r).ko — copy to triage USB
cp lime-$(uname -r).ko /mnt/usb/tools/lime/

ISF generation for Volatility3 — the critical dependency

Volatility3 cannot parse a Linux memory dump without an ISF (Intermediate Symbol Format) file matching the target kernel. The ISF maps kernel data structure offsets to named fields — without it, the raw memory is uninterpretable bytes.

Three ISF generation methods:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

# Method 1: dwarf2json (requires kernel debug symbols)
# Install debug symbols on a CLEAN system with the same kernel
apt install linux-image-$(uname -r)-dbgsym  # Ubuntu with dbgsym repos enabled
dwarf2json linux --elf /usr/lib/debug/boot/vmlinux-$(uname -r) > isf_$(uname -r).json

# Method 2: btf2json (for kernels 5.2+ with BTF — no debug symbols needed)
# BTF (BPF Type Format) is built into many modern kernels
btf2json /sys/kernel/btf/vmlinux > isf_$(uname -r).json

# Method 3: Pre-built ISFs from Volatility3 symbol repository
# https://github.com/volatilityfoundation/volatility3/tree/main/volatility3/symbols
# Search for your distribution + kernel version

Collect these during triage to enable ISF generation later:

1
2
3
4
5
6

uname -r > /IR/kernel_version.txt
cp /boot/config-$(uname -r) /IR/ 2>/dev/null
cp /boot/System.map-$(uname -r) /IR/ 2>/dev/null
ls /sys/kernel/btf/vmlinux > /IR/btf_available.txt 2>/dev/null
dpkg -l | grep linux-image > /IR/kernel_packages.txt 2>/dev/null
rpm -qa | grep kernel > /IR/kernel_packages.txt 2>/dev/null

Cloud and virtual machine memory acquisition

VMware ESXi / vSphere: Suspend the VM or create a snapshot. The snapshot includes a .vmem file containing the VM’s physical memory. Copy the .vmem file for Volatility3 analysis. Do NOT resume the VM before copying — resuming overwrites the suspended memory state.

Hyper-V: Create a checkpoint (Export-VM produces a .bin file containing memory). Or use WinPMEM from within the guest OS.

AWS EC2 / Azure VM / GCP Compute: Cloud providers do NOT offer hypervisor-level memory capture for customer VMs. Memory acquisition requires guest-level tools: deploy AVML (Linux) or WinPMEM (Windows) inside the instance. For EC2: use SSM Run Command to execute AVML remotely without SSH. For Azure: use Run Command via the Azure portal or CLI.

1
2
3
4
5

# AWS SSM: remote AVML execution (no SSH required)
aws ssm send-command --instance-ids i-0abc123 \
    --document-name "AWS-RunShellScript" \
    --parameters 'commands=["cd /tmp && curl -sO https://INTERNAL_URL/avml && chmod +x avml && ./avml /tmp/memory.lime"]'
# Then copy the dump from the instance

Investigation Finding — IF-2026-TR1-MEM-001

Artifact: Memory acquisition procedure reference

Source: Operational standard — not incident-specific.

Findings:

Memory acquisition toolkit for the NE environment requires:

  • Windows: WinPMEM v4.0 on triage USB. ISF auto-detected by Volatility3 for Windows 10/11 and Server 2016+.

  • Linux: AVML v0.14.0 (primary) + pre-compiled LiME modules for 3 kernel versions currently deployed (5.15.0-88, 5.15.0-91, 6.1.0-18). ISFs pre-generated via btf2json for all 3 kernels.

  • Cloud: WinPMEM/AVML deployed via SSM/Run Command. No hypervisor-level capture available.

  • Proves: The NE triage toolkit supports memory acquisition across all 3 environments without preparation delays. Pre-compiled LiME modules and pre-generated ISFs eliminate the “I can’t analyse the dump because I don’t have the profile” problem.

  • Does not prove: That the toolkit is current — kernel updates may introduce new versions that require new LiME modules and ISFs. The triage toolkit must be updated after every kernel patch cycle.

  • Next step: Add toolkit maintenance to the monthly SOC operations checklist: after every kernel update, compile new LiME module, generate new ISF, add both to the triage USB.

Reference: Microsoft AVML (github.com/microsoft/avml), 504ensics LiME (github.com/504ensicsLabs/LiME), Volatility Foundation (github.com/volatilityfoundation/volatility3).

Try it: test memory acquisition on a non-production system
  1. Windows: Download WinPMEM. Run as Administrator. Capture a test dump to a USB drive. Verify the size matches physical RAM. Record the SHA256 hash. Delete the test dump.
  2. Linux: Download AVML. Run as root. Capture a test dump. Verify size. Record hash. Check whether /sys/kernel/btf/vmlinux exists (determines ISF generation method).
  3. For both: time the acquisition — know how long it takes for your typical system RAM size so you can plan triage timing during real incidents.
Compliance Myth: "Memory acquisition requires specialised forensic hardware"

The myth: Memory acquisition requires expensive forensic hardware (JTAG interfaces, direct memory access devices, PCI-based acquisition cards) and is beyond the capability of a SOC analyst during triage.

The reality: Software-based memory acquisition using WinPMEM (Windows) and AVML (Linux) requires: a single executable file on a USB drive, administrator/root access to the target system, and external storage for the dump. No specialised hardware. No forensic workstation. No physical access to the system’s motherboard. The tools are free and open-source. A SOC analyst who has practised the acquisition procedure once can execute it in under 5 minutes during a real incident. Hardware-based acquisition (JTAG, DMA) is reserved for forensic scenarios where the OS is untrusted (rootkit contamination at the kernel level) or the system cannot be accessed through the OS (locked screen, encrypted disk, powered-off device). For triage — where the system is running and accessible — software-based acquisition is sufficient and standard.

Troubleshooting

“WinPMEM fails with ‘Cannot load driver’.” Cause: Secure Boot or Driver Signature Enforcement is blocking the unsigned WinPMEM driver. Solutions: (1) Use the signed version of WinPMEM if available. (2) Temporarily disable Driver Signature Enforcement: bcdedit /set nointegritychecks on (requires reboot — not ideal during triage). (3) Use DumpIt or Magnet RAM Capture as alternatives (both use signed drivers). (4) If on a VM: use hypervisor-level capture instead.

“AVML fails with ‘Permission denied’ on /dev/crash.” Some hardened Linux configurations restrict /dev/crash. Try: avml --source /proc/kcore /IR/memory.lime. If both fail: use LiME with a pre-compiled kernel module. If LiME is also unavailable: document “Memory acquisition not possible on this system” and proceed with volatile state capture (ps, ss, w) as the best available alternative.

“The memory dump file is much smaller than physical RAM.” Common causes: (1) Insufficient disk space on the output media — check df -h. (2) The dump was written to FAT32 media (4 GB file size limit) — use NTFS or ext4. (3) AVML encountered memory regions it could not read and skipped them. A dump within 90% of physical RAM is acceptable for analysis; a dump below 50% may have significant gaps requiring re-acquisition with an alternative tool.

Beyond this investigation: Memory acquisition connects to Practical Incident Response IR4-IR5 (where Volatility3 plugins analyse the Windows memory dump: pslist, pstree, malfind, netscan, cmdline, dlllist, handles), Practical Linux IR LX4-LX5 (where Volatility3 Linux plugins analyse the Linux dump: linux.pslist, linux.bash, linux.check_syscall, linux.elfs, linux.proc_maps), and TR4.7 (where the AVML acquisition procedure is applied specifically to the TR4 Linux triage context).
Operational Artifact — Memory Acquisition Quick Reference

Windows: winpmem_mini_x64.exe E:\IR\%COMPUTERNAME%_memory.raw Verify: size ≈ RAM. Hash: Get-FileHash -Algorithm SHA256. Write to USB/network (NOT target disk).

Linux (AVML): ./avml /mnt/usb/IR/$(hostname)_memory.lime Verify: ls -lh vs free -h. Hash: sha256sum. Collect: uname -r, System.map, BTF status.

Linux (LiME): insmod lime-$(uname -r).ko "path=/mnt/usb/IR/$(hostname).raw format=raw" Requires pre-compiled .ko for exact kernel version. Auto-unloads after capture.

Cloud: Deploy AVML/WinPMEM via SSM/Run Command. No hypervisor-level capture on public cloud.

ISF for Volatility3: btf2json (kernel 5.2+, no debug symbols) or dwarf2json (requires debug package). Pre-generate for all deployed kernel versions.

Total time: 2-15 minutes depending on RAM size. Capture BEFORE any containment action.

© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← TR1.4 Linux Evidence Volatility TR1.6 Disk and Log Evidence: Collection Without Contamination →