Mounting memory with MemProcFS for advanced memory forensics

This report is a practical memory forensics write-up demonstrating how MemProcFS, alongside Volatility 2/3, can mount and analyze Windows RAM as a file system to uncover artifacts such as processes, handles, registry hives, and timelines. In a lab scenario, the author identifies suspicious Excel activity and a network connection to 185.141.63.120 (associated with the Conti ransomware), providing concrete IOCs (including a file hash) and showcasing workflows like netstat parsing, parent/child PID tracing, and automated timeline generation via MemProcFS’s forensic mode.