using volatility to analyze the ram image and locate running processes only

Assignment 6.1: Locate Running Processes in the image of your RAM


Practice locating artifacts in the image of RAM. Use Magnet and Volatility to analyze RAM.


1, Download Magnet from here! 2. Use Magnet to create an image of your RAM.

Magnet Logo capture

  3. Download and install Volatility from here! Make sure to get the Windows Standalone Version (preferably 2.6 )
  • 4. Your Next step is using Volatility to analyze the RAM image and locate running processes only. You may find the “how-to” videos below helpful, however, real help is available in the book, don’t forget to check the chapter from Art of Memory Forensics book to learn and understand how volatility works. Also keep in mind that you are running the standalone version, so your commands may vary from what is in the video. Please note that you can see a variety of artifacts using Volatility, however, for this assignment, you only need running processes. (Hint: Which PsTool gives detailed information about processes?) Take screen captures of all your steps when running volatility, using your command shell and submit for grading using the link below.
  • 5. In my experience, some students tend to feel stranded for this assignment because they are not comfortable with CLI. So please make yourself familiar with navigating between files and working with executable files using the command shell. If you don’t know how to run an executable file from command line, this assignment might take you longer. So don’t wait until the due date. While I want you to work independently, I try to supervise this projects, seeing students bring specific question in discussion board – Help me Forum. I don’t provide a direct answer but I try to guide you with small hints.


This assignment is worth up to 50 points towards your final grade. This assignment is going to be more than simply following ‘step by step direction’, rather a combination of related activities, and reading towards a central objective. The central objective of this assignment is locating the running processes in your machine.

The tools you need to Download are Magnet Ram capture (to capture the image of your computer’s memory), and Volatility Standalone 2.6 (to analyze the RAM image). It is fine for you to start the process with a vague idea about how you are trying to achieve the final result. However, once you start, the reading materials for this week, optional and required, will guide you further. As it is mentioned in the earlier paragraph, that this assignment is more about the reading than performing the task.

Please note: The standalone version does not need python installation. Some websites or videos might tell that you need python. If you want you can follow the python way. Python 2.7 and volatility py installer, and do it in a Windows 7 VM. But you still need to run volatility from CLI.

