Skip to content
APT Intelligence -- Memory Forensics

APT Memory Forensics Checklist

APTs increasingly use fileless malware that exists only in memory, leaving no files on disk for traditional forensics. This interactive checklist covers how to approach memory analysis during an APT incident, what injected code looks like, and the Volatility commands at each step.

Before acquiring memory

  • Do NOT reboot or power off the system -- this destroys all memory evidence
  • Acquire memory first before any other forensic action -- volatile data is lost on every second
  • Document the running process list (tasklist /v) and network connections (netstat -ano) immediately
  • Use WinPmem, DumpIt, or Magnet RAM Capture for acquisition -- Autopsy or FTK cannot acquire live RAM
  • Acquire to a USB drive or network share -- never to the local system disk

APT fileless malware indicators in memory

What you find in a clean process

  • PE header at base address
  • Mapped sections from disk file
  • Import table matching disk binary
  • No executable regions with PAGE_EXECUTE_READWRITE
  • VAD regions consistent with loaded DLLs

What you find in an infected process

  • PE header overwritten or absent (hollowing)
  • Executable memory regions with RWX permissions
  • Private memory allocations with MZ/PE headers
  • Import table mismatch vs disk copy
  • Anomalous VAD regions (private, executable, no mapped file)