Rodríguez, Ricardo J.
Toward Structured Memory Forensics: A MITRE ATT&CK-Aligned Workflow for Malware Investigation Proceedings Article
In: Proceedings of the 16th EAI International Conference on Digital Forensics & Cyber Crime (ICDF2C 2025), Springer, 2025, (Accepted for publication. To appear.).
Abstract | Links | BibTeX | Tags: digital forensics, indicators of compromise, Malware Analysis, memory forensics, methodology
@inproceedings{Rodriguez2025,
title = {Toward Structured Memory Forensics: A MITRE ATT&CK-Aligned Workflow for Malware Investigation},
author = {Ricardo J. Rodríguez},
url = {https://webdiis.unizar.es/~ricardo/files/papers/Rodriguez-ICDF2C-25.pdf},
year = {2025},
date = {2025-01-01},
booktitle = {Proceedings of the 16th EAI International Conference on Digital Forensics & Cyber Crime (ICDF2C 2025)},
publisher = {Springer},
series = {Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering},
abstract = {Memory forensics is emerging as an essential technique for detecting malware-related volatile indicators of compromise (IoCs) that traditional disk analysis may miss. However, the lack of standardized best practices for analyzing memory-resident malware evidence continues to limit the effectiveness and reproducibility of forensic investigations. In this work, we propose a structured five-phase workflow that formalizes best practices for the extraction and analysis of malware-related IoCs, from initial evidence preservation to binary program investigation. Our methodology is explicitly aligned with the MITRE ATT&CK framework, allowing analysts to correlate volatile memory artifacts with known adversarial tactics and techniques. Additionally, we examine technical challenges (such as paging, on-demand paging, memory inconsistencies, and runtime binary transformations) that threaten the integrity and reliability of memory evidence. We further propose practical recommendations and outline future research directions for addressing these challenges, with the goal of improving the reliability, consistency, and forensic robustness of memory-based malware analysis.},
note = {Accepted for publication. To appear.},
keywords = {digital forensics, indicators of compromise, Malware Analysis, memory forensics, methodology},
pubstate = {published},
tppubtype = {inproceedings}
}
Memory forensics is emerging as an essential technique for detecting malware-related volatile indicators of compromise (IoCs) that traditional disk analysis may miss. However, the lack of standardized best practices for analyzing memory-resident malware evidence continues to limit the effectiveness and reproducibility of forensic investigations. In this work, we propose a structured five-phase workflow that formalizes best practices for the extraction and analysis of malware-related IoCs, from initial evidence preservation to binary program investigation. Our methodology is explicitly aligned with the MITRE ATT&CK framework, allowing analysts to correlate volatile memory artifacts with known adversarial tactics and techniques. Additionally, we examine technical challenges (such as paging, on-demand paging, memory inconsistencies, and runtime binary transformations) that threaten the integrity and reliability of memory evidence. We further propose practical recommendations and outline future research directions for addressing these challenges, with the goal of improving the reliability, consistency, and forensic robustness of memory-based malware analysis.