============================================================
  Memory Forensics
============================================================

  Analyze memory dumps to find malware artifacts, injected code, and hidden processes. Uses Volatility 3 framework on REMnux.

────────────────────────────────────────────────────────────

  Step 1: Image Identification
  Tools: volatility3
  Determine OS and profile: vol3 -f <dump> windows.info
  (or linux.info). Verify image is valid and identify OS
  version, build, architecture.

    $ vol3 -f <memory_dump> windows.info

  Step 2: Process Analysis
  Tools: volatility3
  List processes: vol3 -f <dump> windows.pslist /
  windows.pstree. Look for: suspicious names, unusual
  parent-child relationships, processes with no window
  title, duplicate system processes.

    $ vol3 -f <memory_dump> windows.info

  Step 3: Network Connections
  Tools: volatility3
  List connections: vol3 -f <dump> windows.netscan.
  Identify: C2 connections, unusual ports, connections
  to known-bad IPs. Cross-reference with process PIDs.

    $ vol3 -f <memory_dump> windows.info

  Step 4: Injection Detection
  Tools: volatility3
  Detect injected code: vol3 -f <dump> windows.malfind.
  Shows: processes with executable memory not backed by
  a file. Dump suspicious regions for further analysis.

    $ vol3 -f <memory_dump> windows.info

  Step 5: DLL Analysis
  Tools: volatility3
  List loaded DLLs: vol3 -f <dump> windows.dlllist --pid
  <PID>. Look for: DLLs loaded from unusual paths (temp,
  appdata), unsigned DLLs, DLLs not in known-good
  baseline.

    $ vol3 -f <memory_dump> windows.info

  Step 6: String Search
  Tools: volatility3, strings
  Search for known IOCs in memory: vol3 -f <dump>
  windows.strings. Also: strings <dump> | grep -i
  '<pattern>'. Look for URLs, domains, file paths,
  commands.

    $ vol3 -f <memory_dump> windows.info
    $ strings binary.exe

  Step 7: Process & Code Dumping
  Tools: volatility3
  Extract suspicious processes: vol3 -f <dump>
  windows.dumpfiles --pid <PID>. Extract injected code
  regions from malfind results. Analyze dumped files
  with Static Analysis Workflow.

    $ vol3 -f <memory_dump> windows.info

  Step 8: Timeline Reconstruction
  Tools: volatility3
  Build timeline: vol3 -f <dump> timeliner.Timeliner.
  Reconstruct: when malware started, what it did,
  lateral movement. Correlate with process tree and
  network data.

    $ vol3 -f <memory_dump> windows.info

────────────────────────────────────────────────────────────
  Tip: 'fhelp cheat <tool>' for full examples
       'Ctrl+G' for interactive cheatsheet browser
