<aside> đź’ˇ
TOPIC: Automated Memory Forensics Pipeline for Real-Time Malware Response Using Machine Learning and SOAR Techniques
NAME: Okore Joel Chidike
INSTRUCTOR: Saltanov Kirill
GROUP: M24-SNE-01
The full source code, dataset sample, Model training notebook and experiment scripts for this project are available at:
https://github.com/Joellots/CCF-Project
Video Demo:
</aside>
This project presents the design and implementation of an automated memory forensics pipeline that integrates the open-source SIEM tool Wazuh with memory acquisition and analysis utilities such as WinPMEM and Volatility. The primary objective is to detect and respond to potential malware infections in real time by automating the memory dump and analysis process when suspicious behavior is identified on an endpoint.
Using the well-known WannaCry ransomware as a case study, the project simulates a real-world malware execution scenario on a Windows 10 virtual machine monitored by a Wazuh agent. Custom detection rules and active response scripts were developed to trigger a memory dump using WinPMEM when behavioral indicators—such as PowerShell-based payload downloads or the execution of unsigned binaries—were observed. The pipeline automatically captures system memory, extracts key forensic artifacts using Volatility plugins, and generates structured logs for further triage and investigation.
This work demonstrates how combining behavioral threat detection with automated memory forensics can improve response time and reduce analyst workload in incident handling. Additionally, it builds on prior sandbox analysis of WannaCry performed during the course, enhancing both the contextual understanding and technical depth of the investigation. The solution lays the groundwork for future extensions such as automated classification, integration with ELK stack, or machine learning–based threat prioritization.
Digital forensics plays a critical role in modern cybersecurity operations, particularly in the investigation of security incidents involving malware. Memory forensics, a subfield of digital forensics, focuses on the analysis of volatile data in a system's RAM to uncover evidence of malicious activity that may not leave traces on disk. This approach is especially effective for detecting fileless malware, rootkits, and other sophisticated threats that evade traditional detection mechanisms.
This project explores the automation of memory forensics by integrating real-time detection capabilities from Wazuh with memory acquisition and analysis tools. The goal is to reduce the time between detection and investigation, enabling immediate forensic capture and preliminary analysis upon identifying suspicious behavior.
The project builds upon foundational concepts introduced throughout the course, including artifact analysis, memory dumping, and Volatility-based investigation. A real-world malware sample—WannaCry ransomware—was used to simulate a realistic infection scenario. The system was tested end-to-end, from triggering memory dumps using active response scripts in Wazuh, to analyzing the resulting dumps with Volatility to identify indicators of compromise.
By automating key steps in the forensic process, this project provides a proof of concept for faster, scalable incident response workflows in enterprise environments.
Traditional digital forensics workflows often involve manual steps that can delay incident response. In the case of volatile memory analysis, delays in acquiring memory after malware execution may result in the loss of critical evidence. Additionally, security analysts often rely on external alerts or post-incident reviews before initiating forensic capture, making the process reactive rather than proactive.
There is a need for an automated system that can perform memory acquisition and initiate forensic analysis the moment suspicious behavior is detected. Such a system would bridge the gap between detection and investigation, preserving volatile evidence before it is lost and reducing analyst workload through automation.