Authors: Hala Ali, Andrew Case, Irfan Ahmed
DFRWS USA 2025 — “History in the Making” — Jubilee 25th Anniversary
Abstract
Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and .NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths.