Abstract

Memory forensics is a fundamental step that inspects malicious activities during live malware infection. Memory analysis not only captures malware footprints but also collects several essential features that may be used to extract hidden original code from obfuscated malware. There are significant efforts in analyzing volatile memory using several tools and approaches. These approaches fetch relevant information from the kernel and user space of the operating system to investigate running malware. However, the fetching process will accelerate if the most dominating features required for malware classification are readily available. This paper introduces VolMemLyzer, a python-based tool developed to excerpt the most critical characterization feature set from the memory dumps taken during live malware infection. It extracts thirty-six most essential features and ranks them to classify malware. The tool is tested with a dataset of 1900 benign and malware samples with high true positive rate for binary and multi-class malware classification.