After working through several rooms that focused on disk forensics, this one felt like a complete shift in perspective. Instead of digging through file systems or deleted data, I was now dealing with something more temporary: RAM. The module introduced Volatility, a forensic framework designed for memory analysis, and it quickly became clear how powerful and delicate this kind of investigation can be.
Understanding Volatility
The name “Volatility” is fitting. In digital forensics, the order of volatility refers to how quickly different types of data disappear after a system is powered off. RAM is right at the top of that list. Once a computer shuts down, the information it holds can vanish almost instantly. That makes capturing it early crucial, and this exercise showed me why. While previous tools focused on hard drives, Volatility allowed me to work directly with live memory captures. Instead of investigating what was on the system, I looked at what was happening at the moment of capture, active processes, network connections, loaded DLLs, and more.
Extracting and Exploring Memory
The practical tasks began with extracting and inspecting a memory image. Rather than setting everything up locally, I used the pre-configured virtual machine provided by TryHackMe, which made it easier to focus on learning the tool itself. Once inside the “/opt/volatility3” directory, I could finally start running commands and exploring what Volatility had to offer. Running the “windows.info” plugin gave a quick summary of the system, things like the OS build, kernel version, and when the memory image was taken. From there, commands like “windows.psscan” and “windows.pstree” let me map out every running process and how they related.
Finding Suspicious Activity
One of the key investigations involved analysing a memory dump from a compromised system. By scanning processes, I spotted something that didn't fit, “reader_sl.exe”. At first glance, it looked legitimate, but further research showed it was often used as a disguise by malware. Using Volatility's process tree view confirmed it was launched by “explorer.exe”, which hinted that it had started under normal user activity, another classic trick for blending in. Later, in a second case study, I came across a process named “@WanaDecryptor@”, immediately linking it to the infamous WannaCry ransomware. Using commands like “windows.dlllist”, I could trace exactly which DLLs it had loaded, including “WS2_32.dll”, which were responsible for handling network connections. Seeing how clearly the malware's behaviour surfaced through memory analysis was fascinating.
Following Digital Footprints
Beyond identifying malware, this room taught me how much contextual information lives in memory. From user-agent strings in dumps (like “Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)”) to domain names linked to suspicious activity, Volatility gave me tools to uncover fragments of network behaviour that would otherwise go unnoticed. The more I worked with the data, the more I realised that memory analysis isn't just about finding “the bad file”, it's about reconstructing what happened second by second. Every running process, open socket, or loaded DLL tells part of the story.
Learning Through Frustration
I'll admit, this room wasn't easy. Some of the later questions pushed me to research Windows internals, DLLs, and process hierarchies far beyond what I expected. There's a certain rhythm to using Volatility, switching between commands, reading through lengthy outputs, and filtering results with grep, that took a while to get comfortable with.
What I Took Away
- RAM holds gold: Even though it's temporary, memory can reveal more about real-time activity than any disk image.
- Volatility is powerful: Once you learn how to navigate its plugins, it becomes an incredibly flexible investigation tool.
- Research is part of the process: Understanding what's “normal” and what's not takes constant referencing and verification.
- Forensics is pattern recognition: The more you investigate, the faster you start recognising telltale signs of compromise.
Final Thoughts
This room was easily one of the most technical so far, but also one of the most rewarding. It bridged a gap between the abstract theory of volatility and the hands-on reality of memory forensics. Unlike file systems, RAM doesn't hide behind layers of storage; it shows you what the machine was thinking at that moment. Moving forward, I see how memory analysis complements disk forensics perfectly. Together, they tell the history and the current state of a system, and as an investigator, learning to read both sides of that story feels like unlocking a whole new level of digital insight.