Memory Forensics for Incident Response (34th Jyväskylä Summer School)

This is the official website of part of the course “CYB1: Understanding and Mitigating Malware Campaigns and their Underlying Cybercriminal Operations, Complemented with a Preliminary Dive into Digital Forensics and IoT Device Firmware Hardening against Exploitation”, to be held on August 4 to 13, 2025, as part of the 34th Jyväskylä Summer School, hosted by the University of Jyväskylä (Finland). Specifically, this website is devoted to the part of the course about “Memory Forensics for Incident Response”.

Overview

This part of the course provides a practical introduction to the analysis of memory dumps and malware artifacts using modern open-source tools such as Volatility. Participants will explore both static and dynamic malware analysis techniques, gain an understanding of memory acquisition best practices, and apply forensics skills in real-world scenarios to identify Indicators of Compromise (IoCs) and understand malicious behavior.

Learning Goals

By the end of this course, participants will be able to:

• Understand memory acquisition techniques and how to preserve integrity during forensic collection.
• Apply static and dynamic malware analysis techniques to understand malware behavior and persistence mechanisms.
• Use Volatility (versions 2 and 3) to extract relevant artifacts from memory dumps, including suspicious processes, DLLs, and network connections.
• Identify IoCs and understand their role in incident response.
• Integrate memory forensics into broader incident response workflows for improved detection and containment.
• Reinforce concepts through hands-on labs with real malware samples.

Material

• Slides

Hands-on Labs

Participants will practice their skills through several structured lab sessions:

• Lab session 0: Setting Up a Docker Environment for Volatility and Volatility 3
• Lab session 1: Getting Started with Volatility
• Lab session 2: Memory Dump Analysis with Volatility 3
• Lab session 3: Practical Malware Analysis: From Memory Forensics to Threat Attribution
• Lab session 4: Hands-On Guide to Volatility Plugin Development for Incident Response

Requirements

To simplify setup and ensure a consistent lab environment, a preconfigured Dockerfile is provided. It contains all necessary tools for the course:

• Dockerfile (MD5: 42160387dfa697efd23a23842eb98a55)

Memory Dumps

• Memory dump “zeus.vmem” (from The Malware Analyst’s Cookbook) (MD5 hashes)
• Windows 7 (infected with WannaCry) (MD5 hashes)
• Windows 7 (infected with ALINA) (MD5 hashes)

License

All material distributed on this website is licensed under CC BY-NC-SA 4.0.

Declaration of Generative AI and AI-Assisted Technologies in the Writing Process

During the preparation of this work, the author used ChatGPT-4 to improve readability and language. After using this tool/service, the author reviewed and edited the content as needed and assumes full responsibility for the content of the publication.

Author

Ricardo J. Rodríguez

Funding Acknowledgments

Part of this course was supported in part by grant Proyecto Estratégico Ciberseguridad EINA UNIZAR, funded by the Spanish National Cybersecurity Institute (INCIBE) and the European Union NextGenerationEU/PRTR.

LAST UPDATE

• August 12, 2025: added Lab 4
• August 05, 2025: first update