National University of Sciences &
Technology (NUST)
School of Electrical Engineering and
Computer Science (SEECS)
Faculty of Computing
CS-481: Computer Forensics
Department of Software
Engineering Class: BESE-12 AB
Lab 11: Introduction to Memory Forensics with Volatility 3
CLO PLO (SE) BT-Level
CLO 2 Apply forensics procedures PLO-4 C-3
for case investigations. Investigation Applying
CLO 3 Demonstrate various PLO-5 P-3
forensics methods and Modern Tool Usage Guided Response
techniques through modern
tools to investigate contents
of various electronic devices.
Date: 21-04-2025
Time:
2:00 pm - 2:50 pm
3:00 pm - 3:50 pm
4:00 pm - 4:50 pm
� Lab 11:
Introduction
This lab introduces students to using Volatility for digital investigation.
Objectives
The main objective of this lab is :
1. Learn memory forensics using Volatility.
Tools/Software Requirements
● Volatility, Powershell, and
HexD Description
Students are required to complete the tasks in this ‘Introduction to
Memory Forensics with Volatility 3’ https://www.youtube.com/watch?
v=Uk3DEgY5Ue8
For background information about memory analysis, please watch
https://www.youtube.com/watch?v=lI7ePcu6D7Q
Read the lab tasks carefully and complete them.
Deliverable:
Students are required to complete all tasks and upload a single
document with adequate evidence on LMS before the deadline.
Make sure your name, Qalam ID, and date are included on every
page of the document.
1
�Task A: Install Volatility 3
1. Follow the steps in the video
https://www.youtube.com/watch?v=Uk3DEgY5Ue8 to install
volatility. Correct installation requires:
a. Python: https://python.org (get version >3)
b. Git for Windows: https://gitforwindows.org/
c. Microsoft C++ Build Tools:
https://visualstudio.microsoft.com/visual-cpp-
build-tools/
d. Python Snappy: https://www.cgohlke.com/#python-snappy
e. Volatility 3: https://github.com/volatilityfoundation/volatility3
2. Make sure you get the correct output for python vol.py -v
command
before proceeding further:
Task A: Analyse image of memory using Volatility 3
1. Download the memory image file
(https://ia803401.us.archive.org/view_archive.php?archive=/1/item
s/Africa- DFIRCTF-2021-WK02/20210430-Win10Home-20H2-64bit-
memdump.mem. 7z ) from https://archive.org/details/Africa-
DFIRCTF-2021-WK02 Run the windows.pslist module and search
for anything related to the chrome browser. Take a screenshot
that shows the command you used and information obtained
about the parent chrome process.
2
�3
�4
�2. Find out any files with the word ‘history’ that is used by this
parent chrome process. Take a screenshot that shows the
command you used and the information you obtained.
3. Carve the file that contains John Doe’s chrome browsing history.
Open it in Windows Explorer and take a screenshot. Make sure
the size and the date modified are clearly visible.
4. Find out the hash value of John Doe’s password. Take a
screenshot that shows the command you used and information
you obtained.
5. Was Microsoft Edge ever used on this system? If so, for roughly
how long? Take a screenshot that shows the command you used
and the information you obtained.
6. Carve out John Doe’s ntuser.dat file and open it in HexD. Take a
screenshot that shows:
a. the command you used,
b. ntuser.dat file in Windows Explorer
c. the registry file header of ntuser.dat file in HexD.
