Applied Memory Forensics: Extracting and Analyzing Malware in Incident Response (DFRWS APAC 2025 workshop)

This is the official website of the workshop “Applied Memory Forensics: Extracting and Analyzing Malware in Incident Response”, to be held on November 10, 2025, as part of the technical workshops at DFRWS APAC 2025, hosted by the Korea University (South Korea).

Overview

This workshop provides a practical introduction to the analysis of memory dumps and malware artifacts using modern open-source tools such as Volatility. Participants will explore both static and dynamic malware analysis techniques, gain an understanding of memory acquisition best practices, and apply forensics skills in real-world scenarios to identify Indicators of Compromise (IoCs) and understand malicious behavior.

Learning Goals

By the end of this workshop, participants will be able to:

• Understand memory acquisition techniques and how to preserve integrity during forensic collection.
• Apply static and dynamic malware analysis techniques to understand malware behavior and persistence mechanisms.
• Use Volatility (versions 2 and 3) to extract relevant artifacts from memory dumps, including suspicious processes, DLLs, and network connections.
• Identify IoCs and understand their role in incident response.
• Integrate memory forensics into broader incident response workflows for improved detection and containment.
• Reinforce concepts through hands-on labs with real malware samples.

Material

• Workshop slides

Hands-on Labs

Participants will practice their skills through several structured lab sessions:

• Lab session 0: Setting Up a Docker Environment for Volatility and Volatility 3
• Lab session 1: Getting Started with Volatility
• Lab session 2: Memory Dump Analysis with Volatility 3
• Lab session 3: Practical Malware Analysis: From Memory Forensics to Threat Attribution

Requirements

To simplify setup and ensure a consistent lab environment, a preconfigured Dockerfile is provided. It contains all necessary tools for the course:

• Dockerfile (MD5: 42160387dfa697efd23a23842eb98a55)

Memory Dumps

• Memory dump “zeus.vmem” (from The Malware Analyst’s Cookbook) (MD5 hashes)
• Windows 7 (infected with WannaCry) (MD5 hashes)
• Windows 7 (infected with ALINA) (MD5 hashes)

License

All material distributed on this website is licensed under CC BY-NC-SA 4.0.

Declaration of Generative AI and AI-Assisted Technologies in the Writing Process

During the preparation of this work, the author used ChatGPT-4 to improve readability and language. After using this tool/service, the author reviewed and edited the content as needed and assumes full responsibility for the content of the publication.

Author

Ricardo J. Rodríguez

LAST UPDATE

• September 20, 2025: first update