The Developer Conference

Abhiram Kumar


Memory Forensics - A CTF Approach

Submitted Jun 28, 2019

This session gives a brief introduction to volatile memory analysis using the open source tool “volatility”.
Key takeaways:

  • Start playing CTFs which is best way to get into cyber security.
  • Understanding how memory forensics works & fundamentals of memory dump analysis.
  • Learning the fundamentals of using the tool volatility and its various plugins.
  • Interested people can also start contributing to this tool.


This session will start from the very fundamentals:

  • Why, What and How of Memory Forensics.
  • Introduction to Volatility & it’s plugins.
  • Elaborate discussion on various important plugins and the evidence they provide.
  • Live Demo of solving a CTF challenge and an elaborate discussion on collected memory evidence.


The participants need to have the following installed in their computers:

  • Ubuntu 16.04/18.04 LTS with Windows 7 64-bit in Virtualbox.
  • Python 2.x & python 3.x
  • Volatility 2.6 (APT Install). Visit this for more details.
  • Ghex (apt install)
  • DumpIt.exe installed in Windows VM.

Allocate around 1GB of RAM for the virtual machine and please enable Virtualbox Guest Additions so that data transfer between Guest & Host is possible.

Speaker bio

Hi! I am Abhiram Kumar. I am a 3rd year UG student pursuing my B.Tech in CSE at Amrita University, Amritapuri. I am a member of Team bi0s, CTF team from Amrita University. I have been focusing on Volatile Memory Analysis and Cyber Forensics for the last 3 years. I also have experience in conducting a workshop on Cyber Forensics at the VIDYUT Multi-Fest. I am also a member in the Core Organising team of InCTF & InCTF Junior.
I, along with a few members of my team authored the DFRWS IoT Challenge 2018-19 paper and got selected in the Top 5 submissions:



{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}