Workshop: Applied Memory Forensics: Extracting and Analyzing Malware in Incident Response

Authors: Ricardo J. Rodríguez

DFRWS APAC 2025

Abstract

This workshop offers a practical introduction to malware analysis and memory forensics, focusing on real-world incident response scenarios. Participants will gain hands-on experience with open-source tools such as Volatility to extract and analyze malware artifacts from memory dumps. The session covers static and dynamic analysis techniques, enabling attendees to identify indicators of compromise, understand malware behavior, and trace attack traces. Emphasis will be placed on the complete workflow, from acquiring memory images to integrating analysis results into the broader incident response lifecycle.

Learning Objectives

Participants can expect to achieve the following learning outcomes:

• Understanding memory acquisition techniques: Learn the principles of forensically acquiring system memory, including best practices for ensuring integrity and security during acquisition.
• Malware analysis methodologies: Gain insight into static and dynamic malware analysis using industry-standard tools and techniques. Understand malware behaviors, persistence mechanisms, and how malware interacts with system resources such as files, processes, and network connections.
• Using Volatility for analysis: Learn how to use the Volatility framework to extract artifacts from memory dumps, detect malware, and identify indicators of compromise (e.g., suspicious processes, DLLs, network connections).
• Integration into incident response: Understand how memory forensics can play a crucial role in the overall incident response process. Learn how to integrate forensic results into incident response workflows to improve threat detection, containment, and eradication.
• Practice: Apply the techniques in a lab environment with real-world malware samples to reinforce learning and provide hands-on experience.

Experience Level

Beginner

Description

This workshop aligns directly with the conference’s focus on cybersecurity, digital forensics, and incident response, offering participants a practical approach to memory and malware forensics. It helps connect theory to practice, demonstrating how memory analysis techniques and open-source tools like Volatility can be applied to extract, analyze, and understand malware during real-world incidents. The workshop provides attendees with practical skills to identify indicators of vulnerability and integrate forensic findings into the incident response process.

Preparation Details

Participants must bring their own laptop with all the required material installed (specifically, they must be able to run Docker containers). Some basic experience with Linux console and Python programming is advised. If they don’t want to use the provided Docker container, they will be required to install the following software prior to the workshop:

• Volatility Framework (v2.6 and v3)
• Sample memory dumps

All tools and materials will be provided via download links and should be installed at least 3 days prior to the conference to ensure availability. The website of the workshop is located at: https://webdiis.unizar.es/~ricardo/dfrws-apac-25-workshop/

 

Biography

Ricardo J. Rodríguez is an associate professor in the Department of Computer Science and Systems Engineering at the Universidad de Zaragoza (Spain). With a focus on cybersecurity, program binary analysis, and digital forensics, he has made significant contributions to the field, especially in memory forensics. He holds a Ph.D. in Computer and System Engineering from the University of Zaragoza (2013) and has published over 75 peer-reviewed articles, including 45 journal articles (mostly in Q1 and Q2 JCR-ranked journals). Rodríguez has been recognized for his research excellence with two six-year research terms from Spain’s CNEAI and has supervised multiple MSc. And Ph.D. theses. His research has garnered over +1000 citations, achieving an h-index of 19. He has been involved in various EU and national projects, both as a team member and principal investigator, securing over €1.5 million in research funding. His projects have addressed critical issues in cybersecurity, including memory forensics, malware analysis, and security in industrial IoT environments. In addition to his research, Rodríguez has been an active participant in international conferences and has served as a chair and reviewer for several prestigious events. He has also been a visiting professor at institutions in Italy, Germany, and the Netherlands, and has held leadership roles in several professional organizations, including IEEE. His teaching portfolio includes courses in cybersecurity and software analysis, and he has supervised more than 45 BSc. projects, 22 MSc. theses, and 4 Ph.D. dissertations. Rodríguez’s professional activities also include consultancy work in digital forensics and cybersecurity for private companies, further demonstrating his expertise and influence in the field.

 

Downloads