Authors: Taha Gharaibeh, Ibrahim Baggili
DFRWS USA 2026
Abstract
Memory forensics remains a core capability in modern DFIR, but practical workflows are often constrained by the runtime costs of Python-based tooling. We report an empirical migration of a production memory-forensics framework, Volatility3, from Python to Rust using LLM-assisted development. The migration produced 38 Linux forensic plugins totaling 29,028 LOC over 68 hours of active implementation, with aggregate LLM usage of 900 million tokens ($2,962) across two systems. To evaluate functional behavior, we applied canonical output hashing over 11 memory samples spanning two Linux kernel versions. Rust completed all 417 analyzed plugin-sample executions, whereas Python failed on 47 (11.3%) because of runtime and symbol-compatibility errors. Exact output equivalence reached 68.9% among comparable executions. Under controlled benchmark conditions, the Rust implementation achieved a 2.50$ times $ median speedup, with structure-traversal plugins reaching up to 210$ times $. Overall, the results indicate that compiled-language reimplementation can improve both execution robustness and throughput for analysis-intensive forensic tasks, while LLM-assisted migration can reduce development effort when paired with strict parity validation.