Authors: Andrew Case, Hala Ali
DFRWS USA 2025 — “History in the Making” — Jubilee 25th Anniversary
Abstract
Memory forensics—the analysis of volatile memory (RAM)—is an extremely powerful technique for detecting and triaging modern malware. Memory forensics is often a critical component of modern incident response due to the frequent use of memory-only payloads and rootkits that bypass EDRs, hide from live analysis tools, and often leave no file system artifacts. In this workshop, a mix of lectures and hands-on labs provides students with memory forensics knowledge and experience that can be utilized during real-world incident response. A few of the topics that will be covered during this workshop include detection and triage of credential dumping, lateral movement, and memory-only malware loading. By having documentation of these techniques in the slides and gaining hands-on experience analyzing them during the labs, attendees will leave with knowledge that is immediately applicable in real investigations. This workshop is focused on Volatility 3, which is now the standard and supported version of Volatility since its replacing Volatility 2 in April 2025.
Objectives
- The importance of memory forensics
- Applying memory forensics in modern investigations
- Detailed instructions and examples of using Volatility 3
- Hands-on experience performing memory forensics
Provided to students
The students will be provided with a virtual machine, memory samples, a PDF of the slides, and a lab guide that documents the exercises.
Biographies
 Andrew Case is the Director of Research at Volexity and has significant experience in incident response handling, digital forensics, and malware analysis. He has conducted numerous large-scale investigations that span enterprises and industries. Case is a core developer of Volatility, the most widely used open-source memory forensics framework, and a co-author of the highly popular and technical forensics analysis book “The Art of Memory Forensics: Detecting Malware and Threats in Windows, Linux, and Mac Memory.” Case has spoken at many industry conferences, including DFRWS, Black Hat, DEFCON, RSA, SecTor, BSides*, and OMFW. |
 Hala Ali is a Ph.D. student at Virginia Commonwealth University (VCU). Her research interests include Cybersecurity, Information Security, IoT, and Fog Computing. She received her Bachelor degree in Computer Networks and Operating Systems from Homs University, Syria in 2016, and her Master degree in Computer Science and Information Security from the National Institute of Technology Warangal, India, in 2020. Hala worked on various research projects and published papers on real-time task scheduling in Fog-Cloud Computing and lightweight authentication protocols for IoT. Her current research focuses on memory forensics and software supply chain security. |