National University of Sciences &
Technology (NUST)
School of Electrical Engineering and
Computer Science (SEECS)
Faculty of Computing
CS-481: Computer Forensics
Department of Software
Engineering Class: BESE-12 AB
Lab 11: Introduction to Memory Forensics with Volatility 3
CLO PLO (SE) BT-Level
CLO 2 Apply forensics procedures PLO-4 C-3
for case investigations. Investigation Applying
CLO 3 Demonstrate various PLO-5 P-3
forensics methods and Modern Tool Usage Guided Response
techniques through modern
tools to investigate contents
of various electronic devices.
Date: 21-04-2025
Time:
2:00 pm - 2:50 pm
3:00 pm - 3:50 pm
4:00 pm - 4:50 pm
� Lab 11:
Introduction
This lab introduces students to using Volatility for digital investigation.
Objectives
The main objective of this lab is :
1. Learn memory forensics using Volatility.
Tools/Software Requirements
● Volatility, Powershell, and
HexD Description
Students are required to complete the tasks in this ‘Introduction to
Memory Forensics with Volatility 3’ [Link]
v=Uk3DEgY5Ue8
For background information about memory analysis, please watch
[Link]
Read the lab tasks carefully and complete them.
Deliverable:
Students are required to complete all tasks and upload a single
document with adequate evidence on LMS before the deadline.
Make sure your name, Qalam ID, and date are included on every
page of the document.
1
�Task A: Install Volatility 3
1. Follow the steps in the video
[Link] to install
volatility. Correct installation requires:
a. Python: [Link] (get version >3)
b. Git for Windows: [Link]
c. Microsoft C++ Build Tools:
[Link]
build-tools/
d. Python Snappy: [Link]
e. Volatility 3: [Link]
2. Make sure you get the correct output for python [Link] -v
command
before proceeding further:
Task A: Analyse image of memory using Volatility 3
1. Download the memory image file
([Link]
s/Africa- DFIRCTF-2021-WK02/20210430-Win10Home-20H2-64bit-
[Link]. 7z ) from [Link]
DFIRCTF-2021-WK02 Run the [Link] module and search
for anything related to the chrome browser. Take a screenshot
that shows the command you used and information obtained
about the parent chrome process.
2
�3
�4
�2. Find out any files with the word ‘history’ that is used by this
parent chrome process. Take a screenshot that shows the
command you used and the information you obtained.
3. Carve the file that contains John Doe’s chrome browsing history.
Open it in Windows Explorer and take a screenshot. Make sure
the size and the date modified are clearly visible.
4. Find out the hash value of John Doe’s password. Take a
screenshot that shows the command you used and information
you obtained.
5. Was Microsoft Edge ever used on this system? If so, for roughly
how long? Take a screenshot that shows the command you used
and the information you obtained.
6. Carve out John Doe’s [Link] file and open it in HexD. Take a
screenshot that shows:
a. the command you used,
b. [Link] file in Windows Explorer
c. the registry file header of [Link] file in HexD.
