Abstract
Memory forensics is a critical pillar of modern cybersecurity investigations, especially when dealing with advanced threats such as kernel-level rootkits, fileless malware, and stealthy in-memory persistence techniques. However, analyzing raw memory dumps—whether from Linux or Windows systems—remains a complex and time-consuming task, requiring deep technical expertise and manual correlation across multiple artifacts.
In this session, we present a practical and scalable framework that combines the forensic power of Volatility 3 with Retrieval-Augmented Generation (RAG) to streamline memory analysis and accelerate threat detection across both Linux and Windows platforms to reduce LLM hallucinations. Our approach uses Volatility 3 to extract structured artifacts from memory images—such as process hierarchies, memory regions, and network connections. These artifacts are enriched with contextual threat intelligence, behavioral annotations, and indicators of compromise (IOCs). By embedding these enriched artifacts into a searchable vector store, we enable a RAG-powered pipeline where a large language model retrieves relevant forensic patterns and generates clear, actionable insights—without requiring model retraining.