AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps

preprint OA: closed CC-BY-4.0
📄 Open PDF Full text JSON View at publisher
Full text 146,722 characters · extracted from preprint-html · click to expand
AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps Mohammed Al-Saleh, Akram Alkouz, Abdulsalam Alarabeyyat This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8554256/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 11 You are reading this latest preprint version Abstract Understanding process behavior from volatile memory dumps remains a significant challenge in digital forensics and malware analysis. Existing memory forensics tools primarily expose low-level artifacts, requiring extensive manual analysis to translate them into meaningful behavioral understanding. In this paper, we present a five-phase AI-assisted framework for the semantic reconstruction of process behavior from memory dumps. The framework leverages Volatility 3 plugins to collect system-wide and per-process artifacts, which are correlated into coherent process profiles. To enrich these profiles, the framework incorporates a natural language processing (NLP) pipeline that filters memory-resident strings to preserve forensic relevance. Large language model (LLM)–based AI agents, such as ChatGPT and Gemini, subsequently perform semantic reasoning over these profiles to produce higher-level interpretations of process behavior. We evaluate the framework through controlled experiments using synthetic processes simulating both normal and suspicious activities. The experimental analysis illustrates how AI-assisted reasoning can assist investigators in deriving actionable forensic insights, demonstrating the potential of this approach to enhance memory forensics and malware analysis. Memory forensics process behavior analysis semantic reconstruction digital forensics volatile memory analysis Volatility 3 artificial intelligence large language models AI-assisted forensics malware analysis behavioral inference process profiling Figures Figure 1 Figure 2 1 Introduction In digital forensics and cybersecurity investigations, understanding the behavior of processes captured in memory dumps remains a key challenge. A memory dump offers a complete snapshot of the system state at a specific point in time, including artifacts such as active processes, open handles, loaded modules, and network connections. When disk artifacts are unavailable or have been tampered with, memory analysis becomes even more critical. However, despite the richness of this data, memory dumps are inherently raw and low-level, making direct interpretation difficult. Analysts are often required to manually connect artifacts from multiple layers of abstraction to determine what a process was doing and why. This becomes even more challenging when examining suspicious or unfamiliar binaries, where surface-level indicators may fail to expose deeper behavioral patterns. There is therefore a clear need for frameworks that can not only extract and organize memory-resident data, but also present it in a way that makes process behavior semantically clear and operationally useful. Established memory forensics frameworks such as Volatility and Rekall have proven essential for retrieving raw artifacts from memory images, yet they primarily operate at a structural level—reporting what exists without explaining its purpose. These tools can list processes, DLLs, open files, and network connections, but they leave the task of behavioral interpretation entirely to the analyst. Correlating results from multiple plugins and outputs across different files is time-consuming, error-prone, and difficult to scale in time-sensitive or large investigations. Furthermore, most traditional tools are rule- or signature-based, limiting their ability to detect novel or obfuscated activity. For example, identifying that a process injected code into another is possible, but understanding whether this indicates persistence, credential theft, or anti-debugging requires human reasoning. In effect, current practices emphasize data extraction over interpretation, leaving a gap in semantic and contextual analysis. Advances in large language models (LLMs) and AI agents present a promising opportunity to close this gap. Unlike deterministic tools that rely on predefined rules, AI systems such as ChatGPT and Gemini can process structured forensic data, interpret natural language, and reason over context-rich information. When provided with detailed process profiles—covering hierarchies, loaded modules, file and network activity, and meaningful strings—AI can infer roles, actions, and intent in ways that emulate expert reasoning. For example, a process that creates a scheduled task, writes a DLL to disk, and invokes regsvr32.exe could be recognized as establishing persistence. Insights like these are traditionally buried in raw data and require time-intensive manual analysis; AI enables this reasoning to be more scalable, consistent, and explainable. To address these limitations and make use of AI’s capabilities, we propose a five-phase framework for semantic reconstruction of process behavior from memory dumps. Built on top of Volatility 3, the framework systematically extracts, organizes, correlates, and interprets artifacts. In Phase 1 , system-wide context is collected through selected Volatility 3 plugins, capturing elements such as active handles, open sockets, running services, and loaded kernel modules. Phase 2 focuses on individual processes of interest, using targeted plugins (e.g., cmdline, envars, vadinfo, malfind) to compile detailed per-process data. Results from these first two phases are stored in a unified SQLite database. Phase 3 applies a correlation engine to merge global and process-level views into cohesive profiles. Phase 4 enriches each profile with strings extracted from private process memory, filtering them through a custom NLP-based model to remove noise and preserve meaningful English substrings. Finally, in Phase 5 , the enriched profiles are provided to AI agents, which interpret the combined evidence to identify potential behaviors such as “network beaconing,” “file encryption,” or “credential scraping.” The modular nature of the framework allows it to be adapted to different investigative contexts, while the AI integration enables scalable, intelligent triage. The rest of this paper is organized as follows: Section 2 defines the investigation model. Section 3 describes the experimental setup. Section 4 presents the experimental results. Section 5 discusses implications, limitations, and future directions. Section 6 reviews related work in memory forensics and AI-assisted analysis. Finally, Section 7 concludes the paper. 2 Investigation Model Digital forensic investigations often begin with limited visibility into the state of a compromised system. In particular, memory dumps provide a valuable yet complex snapshot of volatile system activity, capturing both legitimate and potentially malicious processes in execution. However, these raw dumps offer little semantic clarity without considerable post-processing and expert interpretation. We consider a post-incident investigation scenario where the only evidence available is a full memory snapshot of a suspect Windows system. The investigator does not have access to the source code, logs, or any prior behavioral traces of the running applications. The primary objective is to understand the high-level behavior and intent of key processes that were running at the time of the memory capture. Specifically, the investigator seeks to answer questions such as: Was this process exfiltrating data or collecting credentials? Did it interact with the file system in suspicious ways? Was it part of lateral movement or persistent activity? Traditional memory forensics tools like Volatility 3 offer powerful means to extract low-level artifacts (e.g., open files, loaded DLLs, handles, environment variables). However, interpreting these artifacts into coherent behavioral narratives still requires significant human effort and expertise. Moreover, artifacts are often fragmented and noisy, making semantic interpretation a non-trivial task. Our investigation model is depicted in Figure 1. It outlines a sequential approach for investigating process behavior from memory dumps, incorporating AI-assisted semantic reconstruction. The model consists of the following steps: Start Investigation: The forensic process begins with identifying a suspicious or compromised system that requires analysis. At this stage, the investigator prepares tools and defines the scope of what to extract and analyze. Acquire Memory Dump: Using memory acquisition tools (e.g., DumpIt or FTK Imager), the investigator captures a snapshot of the system’s RAM while the machine is running. This step is critical, as volatile memory contains transient information such as running processes, network connections, in-memory credentials, and system state that would otherwise be lost after shutdown. Create List of All Processes: Once the memory dump is acquired, a preliminary analysis enumerates all running processes present in the memory image. This provides an overview of active executables. Build Comprehensive Process Profile: After initial inspection, the investi-gator identifies suspicious or noteworthy processes based on indicators such as unusual names, parent-child relationships, or anomalous behavior. A detailed profile is then constructed for each selected process by extracting and correlating all relevant forensic artifacts. This includes memory structures, handles, loaded modules, privileges, timeline events, and strings, forming a rich and holistic view of the process’s behavior and interactions. Feed Process Profile to AI: The process profile is fed as input to an advanced AI agent (e.g., ChatGPT) with an appropriate prompt. This enables the AI to generate a high-level semantic interpretation of the process behavior. AI Produces Process Semantic Interpretation: The AI analyzes the compre-hensive profile to infer high-level semantic insights about the process’s behavior. Instead of simply listing artifacts, the AI attempts to understand the intent and actions, such as “credential handling,” “data exfiltration,” “persistence mechanism,” or “network communication,” providing a meaningful narrative of the process’s activities. End Investigation / Further Analysis: The semantic interpretation provided by the AI assists the digital investigator in understanding complex behaviors, accelerating the investigation, and potentially identifying malicious activities that might otherwise be missed or require extensive manual correlation. This can lead to concluding the investigation or initiating further, more targeted analysis based on the AI’s findings. 3 Experimental Setup 3.1 Virtual Environment All experiments were conducted within a controlled virtual environment to ensure reproducibility and isolation from external influences. Oracle VirtualBox was used to host a guest operating system configured as a typical Windows 11 workstation. The virtual machine was provisioned with the following specifications: Operating System : Windows 11 (64-bit) RAM : 4 GB CPU : Dual-core virtual processor Disk : 40 GB dynamically allocated virtual hard disk This setup allowed the creation and execution of custom programs simulating realistic system activity, followed by acquisition of full memory snapshots for forensic analysis. 3.2 Design of Test Programs To simulate diverse and realistic process behaviors, six custom C + + programs were developed for Windows. Each program was designed to emulate specific categories of benign or potentially suspicious system activities. The programs were compiled using Visual Studio Code with the MSVC toolchain and executed within the controlled Windows 11 virtual machine. Each program was constructed to run for an extended duration, ensuring it remained active in memory during RAM acquisition. This was achieved by inserting explicit sleep statements near the end of the execution flow. The six programs and their behaviors are summarized as follows: creds_collector.exe : Mimics credential harvesting by scanning environment variables and file paths for known sensitive patterns (e.g., keywords such as “pass-word” or “token”). Matching files are copied to a temporary location, simulating the collection of authentication artifacts during post-exploitation. data_encoder.exe : Simulates data staging for exfiltration by reading local files, applying a Base64-style encoding to their contents, and writing the encoded data to new output files. No encryption or obfuscation beyond simple encoding is applied. file_writer.exe : Emulates periodic logging or beaconing by continuously writing timestamped entries to a log file. This simulates programs that track local activity, generate status updates, or leave audit trails. log_parser.exe : Acts as a local log analysis tool by reading application logs, searching for lines matching specific patterns (e.g., error or warning keywords), and writing filtered results to a summary file, simulating diagnostics or security log triage. network_simulator.exe : Mimics a network monitoring or generation tool by generating in-memory packet-like structures, serializing them to disk, and repeating this process without actual network communication. This simulates packet crafting or network telemetry logging behavior. file_encryptor_simulator.exe : Emulates ransomware behavior by recursively scanning files in a target directory, Base64-encoding their contents, and writ-ing them to new files with altered filenames. While no real encryption occurs, the program simulates the file-renaming and transformation patterns typical of ransomware operations. 3.3 Program Execution and Memory Acquisition After developing the six custom programs, they were compiled into Windows executa-bles and executed within the virtualized test environment. Each executable was stored in a dedicated directory and executed in parallel during the experiment, providing a variety of observable behaviors in memory. Memory acquisition was performed using DumpIt , a lightweight, single-executable memory capture utility developed by Comae Technologies. DumpIt is specifically designed for live forensic response scenarios and is known for its minimal footprint on the target system. The tool combines driver and user-space components to perform full physical memory dumps without requiring installation or leaving persistent traces. Its streamlined execution makes it suitable for volatile evidence collection while minimizing the risk of contaminating memory content or altering process states. DumpIt was executed from within the virtual machine. To facilitate data transfer, DumpIt, the resulting memory dump, and the six test programs were placed in a pre-configured shared folder between the VM and the host operating system. This setup enabled seamless transfer of the captured memory image to the host system for further processing and analysis. The memory dump served as the central artifact for all subsequent phases of this research. 3.4 Multi-Phase Memory Analysis Framework An overview of the five-phase memory analysis framework is illustrated in Fig. 2 . 3.4.1 Phase 1 (System-Wide Context Extraction) The first phase of our framework focuses on collecting a comprehensive system-wide context from the captured memory image. This context provides foundational visibility into the operating system’s global state at the time of memory acquisition and includes details about active modules, kernel structures, services, handles, network artifacts, and more. By establishing this baseline, subsequent phases can link process-specific activities with broader system artifacts. We utilize Volatility 3, a state-of-the-art open-source memory forensics framework, to extract this contextual information. Volatility 3 offers a rich set of plugins, each capable of parsing specific structures or subsystems in the memory image. In this phase, we select plugins that produce high-value artifacts relevant for semantic correlation. Examples include: windows.pslist – Lists active processes with metadata such as PID and start time. windows.modules – Displays loaded kernel modules and drivers. windows.svcscan – Extracts information about installed and running services. windows.handles – Lists open handles across the system. windows.sessions – Shows details about active user sessions. windows.netstat – Active TCP/UDP sockets. windows.netscan – Scanned network artifacts, including hidden sockets. timeliner – Compiles time-related artifacts from multiple sources. Each plugin’s output is parsed and stored in a dedicated table within a structured SQLite 3 database. This organization promotes efficient querying and lays the ground-work for cross-phase correlation. By adopting a relational schema, the system maintains meaningful links between artifacts, supports complex queries, and scales effectively to accommodate multiple processes. For example, a network socket observed in the global handle table may later be attributed to a specific process in Phase 2, enabling analysts or AI agents to draw high-level inferences about network-related behavior. 3.4.2 Phase 2 (Process-Level Profiling) While Phase 1 focuses on global system structures, Phase 2 narrows the scope to extract process-specific information for a predefined set of target processes. Processes are identified based on their image names and process identifiers (PIDs) recovered during Phase 1. In this phase, Volatility 3’s process-aware plugins are used to construct detailed profiles for each target process. Each plugin is executed independently for each PID of interest, and the output is stored in per-process tables within the same SQLite 3 database used in Phase 1. This ensures all data across phases remains accessible in a unified format. The following plugins were employed in this phase to extract per-process artifacts: windows.cmdline – Captures the full command-line string used to launch the process. windows.envars – Retrieves the process’s environment variables, which may indicate system context or runtime configuration. windows.privileges – Lists active security privileges, helping assess the process’s level of access. windows.handles – Displays handles opened by the process, including references to files, registry keys, or synchronization objects. windows.dlllist – Enumerates dynamically loaded DLLs, revealing runtime dependencies and functionality. windows.ldrmodules – Shows modules loaded through the loader, with flags indicating mapping or initialization status. windows.vadinfo – Lists memory regions allocated by the process, including access rights and backing files. windows.malfind – Identifies suspicious or injected memory areas, useful for detecting stealthy code execution. Some plugins in Volatility 3, such as windows.handles, serve both system-wide and process-specific roles. When run globally, windows.handles enumerates all handles opened across the system, providing a comprehensive view of object references by all processes. When scoped to a specific process, it filters output to show only handles opened by that process. This duality allows investigators to perform both high-level system analysis and focused per-process inspection, aiding identification of shared resources, suspicious cross-process access, or unauthorized handle duplication. By the end of Phase 2, each process is represented by a set of structured data capturing its execution context, memory layout, resource access, and indicators of privilege or anomaly. This collection is essential for the semantic correlation and reconstruction steps that follow. 3.4.3 Phase 3 (Cross-Layer Correlation) The third phase acts as a bridge between the system-wide insights obtained in Phase 1 and the process-centric views established in Phase 2. Its objective is to enrich each process profile with contextual information from the overall system state, enabling a more comprehensive understanding of process behavior. To achieve this, structured correlations are performed between system-level tables and process-specific tables within the unified SQLite database. These correlations reveal relationships, dependencies, and behavioral patterns that are not apparent when analyzing data in isolation. Correlation Strategy A series of SQL queries are designed to associate process-level records with relevant entries from system-wide data based on shared attributes such as process identifier (PID), file paths, memory addresses, and service references. Each query produces insights that are merged into the process profiles to support semantic reconstruction. Examples of Correlation Queries Timeliner Process Events : Identify all timeline events explicitly mentioning the process. SELECT * FROM timeliner WHERE Description LIKE '% Process 6404% '; Usefulness Helps reconstruct system-level actions (e.g., DLL loads, file access) attributed to the process. Service Handle Correlation : Match process-acquired handles to binary paths of running services to detect indirect interactions. SELECT s. Name AS ServiceName, s. Binary AS ServiceBinary, h. Name AS Handle Name FROM svcscan s JOIN handles_pid_6404 h ON LOWER ( s. Binary ) LIKE '%' || LOWER ( h. Name ) || '%'; Usefulness May reveal indirect interactions with critical system services or binaries. Shared Handle Detection : Identify shared objects between the target process and other processes. SELECT DISTINCT h1. PID AS PID1, h2. PID AS PID2 , h1. Offset AS ObjectAddress, h1. Name AS Shared Resource, h1 . Type AS Resource Type FROM handles h1 JOIN handles h2 ON h1. Offset = h2. Offset WHERE h1. PID = '6404 ' AND h2. PID != '6404 ' AND h1. Name IS NOT NULL ORDER BY h1. Offset, h2. PID ; Usefulness Suggests IPC, shared resources, or injection behavior. Post-Creation Timeline Filtering : Retrieve system events that occurred only after the process was created. SELECT [ Created Date ], Description FROM timeliner WHERE [ Created Date ] > ( SELECT Create Time FROM pslist WHERE PID = '6404 ' ); Usefulness Reduces noise and isolates time-relevant activity. MFT Entry Monitoring : Filter for file system-related events involving file creation or renaming. SELECT [ Created Date ], Description FROM timeliner WHERE [ Created Date ] > ( SELECT Create Time FROM pslist WHERE PID = '6404 ' ) AND Description LIKE '% MFT FILE_NAME entry % '; Usefulness Indicates creation or renaming of files by correlating with MFT activity. Network Activity Extraction : List all socket connections associated with the process. SELECT Created, Proto, LocalAddr, LocalPort, Foreign Addr, Foreign Port, State FROM netstat WHERE PID = '6404 '; Usefulness Highlights potential command-and-control, download, or exfiltration behavior. 3.4.4 Phase 4 (Semantic Profile Generation and Filtering) After collecting process-specific data and performing system-level correlations, Phase 4 focuses on synthesizing this information into a structured, analyzable representation: the process semantic profile. This profile captures the observed behavior of a process as a combination of artifacts, relationships, timelines, and memory-resident strings. String Extraction and Filtering In parallel, memory dump files for each process are generated using procdump, which was placed in the pre-configured shared directory between the virtual machine and the host system. Each process was individually dumped using procdump prior to executing DumpIt to capture the full memory snapshot. The resulting dumps were then scanned using the Sysinternals strings utility. Both ASCII and UTF-16LE strings were extracted using the utility’s default behavior, capturing a broad range of meaningful content from the process’s address space. Since raw strings include significant noise (e.g., memory padding, corrupted char-acters, or binary blobs), a custom filter based on English linguistic structure was implemented. This filtering process is designed to discard random or low-value strings while retaining likely meaningful content. The filtering uses a substring matching algorithm built upon the NLTK corpus of English words. A substring of three or more characters is considered valid if it appears in any English word. The following Python logic illustrates this approach: Listing 1: Python function to check for non-random strings def is_non_random ( s): s_lower = s. lower () for i in range ( len ( s_lower) - 2): if s_lower[ i: i+3] in valid_substrings : return True return False Filtered strings are stored separately for each process and later attached to the final semantic profile. This enriches the profile with natural-language clues potentially representing log messages, variable names, user inputs, or internal functionality. AI-Ready Packaging In preparation for semantic interpretation, each process is represented by a compre-hensive AI-ready profile composed of: Structured data combining process-specific information and correlated system-wide artifacts, collected into a JSON file. A filtered set of meaningful memory-resident strings derived from the process dump, stored in a plain text file. This composite representation captures both structural and behavioral signals, providing a rich and condensed input format for AI agents to infer the semantic behavior of the process. Automation of Forensic Data Extraction and Profiling To support consistency, scalability, and reproducibility, a suite of automation scripts was developed covering the first three phases of the framework. In Phase 1, a script extracts system-wide forensic data using a predefined set of Volatility 3 plugins and stores the results into automatically created SQLite tables. Phase 2 includes a script that iterates over selected process IDs, runs process-specific plugins, and dynamically creates and populates per-process tables with the extracted data. In Phase 3, another script builds semantic profiles for each process by aggregating plugin outputs and executing correlation queries that combine system-wide and process-level information. All scripts handle table creation, data normalization, and insertion automatically, ensuring a fully repeatable pipeline from raw memory analysis to structured process profiling. 3.4.5 Phase 5 (AI-Assisted Semantic Reconstruction) In the final phase, large language models (LLMs) are leveraged to perform semantic reasoning over the structured process profiles produced in Phase 4. The goal is to bridge the gap between raw forensic artifacts and a high-level understanding of process behavior, intent, and context. The profiles were tested with the following leading publicly available LLMs: ChatGPT (based on OpenAI’s GPT-4 architecture), Gemini (Google’s multi-modal agent 2.5 version). These agents were selected for their strong comprehension abilities and capacity to analyze both structured JSON data and free text. Each AI agent is provided with the following inputs: The process’s semantic profile (in JSON format). A list of filtered, meaningful strings extracted from the process memory. An instruction prompt directing the AI to interpret the behavior of the process, identify actions taken, and hypothesize the process’s purpose. You are given: A JSON process profile that includes runtime characteristics ' → like privileges, command-line arguments, DLLs, handles, memory mappings, ' → and event timeline data. A text file containing memory strings related to ' → that process. From this information, provide a concise summary (2–3 ' → sentences max) of the process’s likely behavior and purpose. Focus on what ' → the process is doing, how it interacts with the system, and any indicators ' → of intent. Be accurate and avoid guessing;only include what can reasonably ' → be inferred. This prompt is accompanied by the JSON profile and the string list provided as attachments. This final phase shows that with carefully prepared input, large language models can understand complex forensic evidence. Instead of replacing human analysts, these AI agents help investigations by finding patterns, behaviors, and possible threats more quickly and accurately. 4 Results This section evaluates the effectiveness of AI agents in producing high-level semantic summaries of process behavior based on forensic profiles generated in the preceding phases. Rather than focusing on fine-grained details such as specific API calls or memory allocations, the emphasis is on the agents’ ability to understand and abstract the overall purpose of a process—for example, whether it acts as a credential stealer, log parser, file encrypter, and so forth. For each process, the AI-generated abstract interpretation is compared against the known ground truth. The objective is to assess whether the AI agents can accurately infer the role of the process. It is important to emphasize that the proposed AI-assisted framework is not intended to replace traditional forensic techniques or manual expert analysis. Instead, it serves as a complementary layer, offering meaningful shortcuts and interpretive support. Given that AI responses are inherently non-deterministic and occasionally speculative, human oversight remains essential. The goal is to augment the analyst’s capabilities rather than to automate conclusions. 4.1 ChatGPT This subsection shows the high-level summaries produced by ChatGPT for each of the six processes. The summaries are based only on the structured process profile and the filtered strings from the process memory. creds_collector.exe : ChatGPT recognized this process as a credential harvest-ing utility, citing its elevated privileges and interaction with authentication-related components. This closely matches its ground-truth behavior, which involves locating and copying files associated with stored credentials from the system. data_encoder.exe : ChatGPT described this process as a data staging or trans-formation utility, likely involved in encoding data for later use. This interpretation aligns well with the program’s actual function of applying Base64 encoding to input files and saving the results as output. file_encryptor_simulator.exe : ChatGPT recognized this process as perform- ing or simulating file encryption, citing its use of cryptographic functions and interaction with the file system. This accurately reflects its intended role as a file encryption simulator designed to mimic ransomware-like behavior. file_writer.exe : ChatGPT described this process as a data persistence or logging utility, based on its structured file-writing behavior. This aligns well with the program’s actual function of repeatedly writing timestamped binary data to disk. log_parser.exe : ChatGPT identified this process as performing log parsing and analysis, based on its interaction with log files and filtering behavior. This accurately reflects the program’s intended role of scanning logs and extracting relevant entries. network_simulator.exe : ChatGPT described this process as a network behavior emulator, highlighting its simulated socket activity and interaction with networking components. This matches the intended design of generating synthetic network-like behavior without real data transmission. In summary, across all six test cases, ChatGPT was able to infer accurate and semantically relevant summaries that reflected the original design goals of the processes. While it abstracted away implementation details, ChatGPT consistently captured the high-level purpose of each program. This confirms ChatGPT’s effectiveness in semantic reconstruction when guided by structured forensic inputs. 4.2 Gemini Results This subsection presents the high-level semantic interpretations provided by Gemini for each of the six profiled processes. Each interpretation is based solely on the structured process profile and process’s filtered strings. creds_collector.exe : Gemini identified this process as a credential harvesting or management utility, citing associations with APIs such as CredProtectW, NCryptEncrypt, and LsaSetSecret. While these APIs were not explicitly called by the program, their presence in memory-resident strings or linked modules (e.g., advapi32.dll, sechost.dll) likely contributed to this inference. This reflects a common heuristic used by AI agents to associate security-related libraries and patterns with credential activity. Overall, the AI correctly abstracted the program’s intent: locating and copying files potentially containing sensitive user information. data_encoder.exe : Gemini interpreted this process as a data transformation or encryption utility, primarily based on the presence of cryptographic libraries and memory-resident patterns resembling encoding behavior. While the program uses simple Base64 encoding rather than true encryption, the AI’s conclusion reflects the observable signs of data manipulation. Mentions of memory dump files and references to other processes may have contributed to Gemini’s inference about inter-process interaction or data staging, even though the actual implementation does not perform such operations. Overall, the summary aligns with the core semantic function of preparing data in an obfuscated form. file_encryptor_simulator.exe : Gemini accurately described this process as one performing file encryption and decryption, referencing the use of encryption-related APIs and suggesting potential data transfer capabilities. In reality, the program simulates ransomware-like behavior by recursively applying Base64 encoding to files and renaming them to mimic encryption, without using real cryptographic APIs. While it does not actually encrypt or transfer data, the AI’s abstraction captures the core semantic intent of simulating an encryption-based attack pattern. file_writer.exe : Gemini described this process as performing file manipulation with cryptographic transformations and possible data transmission. In reality, the program periodically writes structured log-like entries to a file, without applying any encryption or transmitting data. While the AI correctly captured the persistence aspect of file writing, the inclusion of cryptographic and network implications overstates the actual implementation. Nonetheless, the abstraction partially aligns with the intended behavior of simulating repeated disk activity. log_parser.exe : Gemini characterized this process as a system utility for log analysis and runtime data parsing, citing interactions with registry entries and temporary files. This interpretation aligns well with the ground truth, as the actual program reads local log files and filters specific entries into a summary file. While the AI abstracted the behavior to a broader diagnostic context, the core functionality of parsing and reducing log data was correctly captured. network_simulator.exe : Gemini abstracted this process as a network simulation utility that manages temporary files and diagnostic artifacts. This interpretation is consistent with the actual implementation, which generates in-memory packet-like structures and logs them to disk without performing real network communication. The AI’s summary appropriately captures the process’s high-level semantic intent while avoiding unnecessary focus on low-level execution specifics. Overall, Gemini produces generally consistent high-level interpretations that align with the intended semantics of the tested processes. While it occasionally infers beyond observable behavior, its summaries reflect a reasonable understanding of process roles based on the available forensic inputs. 5 Discussion and Future Work This work presents a practical and effective framework for analyzing memory dumps using AI agents. By combining process-specific data, system-wide correlations, and filtered strings, the framework helps AI agents understand the behavior of individual processes in a clear and structured way. Extracting high-level semantic meaning from low-level forensic data is an important step toward making memory analysis more accessible and insightful. Our AI-assisted approach is not intended to replace traditional forensic methods or expert analysis but to complement them by providing high-level summaries that can speed up investigations. Because AI outputs can be non-deterministic or speculative, human oversight remains essential. The goal is to support analysts, not automate decisions. There are some limitations. The accuracy of results depends heavily on the com-pleteness of the memory dump. If a process ends before memory capture, important information may be missing. Memory dumps capture only a single point in time, so long-term or evolving behaviors cannot be observed. Some Volatility plugins may produce inconsistent or noisy data that requires cleanup and normalization. Large language models also have limitations: they sometimes guess or generate speculative answers, and their output can vary depending on the prompt. Several improvements are possible. Capturing multiple memory snapshots over time would allow detection of behavior changes. Using automatic prompt generation based on profile content could reduce errors and improve consistency. Adding confidence scores for profile elements would help both humans and AI assess the reliability of information. Integrating external threat intelligence and tagging known patterns could provide useful context. Expanding support to Linux and macOS would increase applicability. Building a dataset of labeled processes and training a dedicated AI model could improve performance. Finally, introducing agentic AI with feedback loops would enable the system to refine its analysis over multiple rounds, making the output more accurate and context-aware. 6 Related Work Memory forensics, also known as volatile memory analysis, has become a vital area in digital forensics, offering access to runtime artifacts such as active processes, loaded modules, and network connections Nyholm et al. (2022); Inoue et al. (2011); Solomon et al. (2007); Schuster (2008a); Walters and Petroni (2007); Al-Saleh et al. (2023). Unlike traditional disk-based analysis, memory forensics allows investigators to cap-ture transient data that might otherwise be lost upon shutdown. This capability is particularly significant for identifying stealthy malware, especially fileless threats that operate solely in memory Qawasmeh et al. (2019); Al-Saleh et al. (2020); Qawasmeh and Al-Saleh (2020). Several studies have highlighted the critical nature of memory-resident information for uncovering forensic evidence. For instance, Ottmann et al. (2023) evaluated 360 memory dumps from a Linux system, revealing that nearly a third were incomplete and almost half contained inconsistencies that could compromise forensic conclusions. The authors proposed a new approach for estimating causal consistency and found that issues often correlated with system load and thread activity. Specialized tools have been developed to assist in extracting memory artifacts. GrepEXEC, introduced in Bugcheck (2006), enables the identification of executive structures like ETHREAD and EPROCESS based on unique signatures. Other works have applied text mining techniques to streamline the discovery of relevant forensic data Beebe and Dietrich (2007); Beebe and Clark (2007). The structure and behavior of Windows Virtual Address Descriptor (VAD) trees have also been leveraged in memory analysis, as demonstrated in Dolan-Gavitt (2007). Additionally, Schuster (2008b) examined how Windows pool allocation strategies impact memory forensic procedures. Enhancing the reliability of collected evidence, Law et al. (2010) advocated for acquiring memory across multiple snapshots to validate findings. Virtualization further increases the relevance of memory forensics. Graziano et al. (2013) proposed a set of methods for inspecting memory in virtualized environments, including the detection of hypervisors using Intel VT-x technology. Their extension to the Volatility framework Walters (2007) enables address space reconstruction of virtual machines. Similarly, Dolan-Gavitt (April 2009); Sylve et al. (2017) tackled the challenge of analyzing modern Windows hibernation files after Microsoft altered their structure, making existing tools ineffective. Memory forensics also facilitates investigations into user activity. Research in Olajide et al. (2009) found that information from common applications could be recovered from memory, such as documents and webpages. Web browsing artifacts, even in private or incognito mode, were studied in Said et al. (2011); Ohana and Shashidhar (2013); Al-Khaleel et al. (2014), revealing residual data left behind in RAM. Additional capabilities such as call stack reconstruction have been implemented as Volatility plugins Pulley (2013); Pshoul (2017) and later adapted to the Rekall framework Otsuki et al. (2018); Inc (2017). From an operational security perspective, memory forensics plays a key role in detecting malware and advanced persistent threats. Studies like Cohen (2017) used YARA rules to identify malware patterns in memory, while Lapso et al. (2017) developed visualization tools to assist forensic interpretation. More recently, memory analysis was used in detecting network reconnaissance behaviors Al-Saleh et al. (2019), and TCP buffer retention of critical data was demonstrated in Al-Saleh and Al-Sharif (2012). As malware grows more evasive, AI-driven analysis has gained traction in memory forensics. Research shows that machine learning and deep learning techniques can assist in identifying malicious behaviors based on volatile memory characteristics Schuster (2006). Hybrid techniques combining dynamic analysis, memory inspection, and statistical modeling are increasingly seen as essential to addressing modern threats. The recent work volGPT Oh et al. (2024) introduces a prompt-based LLM system to triage memory-resident processes for ransomware detection using Volatility plugins like pslist, vadinfo, and malfind. While their approach focuses on flagging suspicious processes through predefined prompts and plugin metadata, our work differs both in scope and depth. We propose a comprehensive five-phase framework for AI-assisted semantic reconstruction of process behavior, integrating system-wide context, per-process plugin data, linguistically filtered memory-resident strings, and LLM-driven reasoning. Unlike volGPT, which is tailored to ransomware detection, our framework generalizes to any process, benign or malicious, and produces structured profiles that support free-text semantic interpretation. Our approach not only enhances forensic visibility but also moves toward narrative-level behavioral reconstruction, offering richer insight into process intent beyond static triage. Recent efforts to improve the performance of the Volatility Framework without altering its codebase have shown that PyPy can deliver up to 20% performance gains using a Docker-based setup and JIT alternatives Gharaibeh et al. (2024). In their work, the authors proposed a forensic technique to infer recent database query activity from memory snapshots of DBMS processes by extracting byte-frequency features from a memory region called the sort area fragment, and classifying query operations using support vector machines (SVMs), achieving 92% accuracy on MySQL and 90% on PostgreSQL Nissan et al. (2023). A machine learning approach for classifying memory contents at the page level has been proposed to aid digital media triage in forensic investigations Al-Saleh et al. (2025). The application of artificial intelligence (AI) and machine learning (ML) in digital forensics has gained significant traction, moving beyond traditional signature-based detection to more advanced anomaly detection, classification, and behavioral analy-sis Akeiber (2025). Early applications involved classic ML algorithms for tasks such as malware classification based on static or dynamic features Vinayakumar et al. (2019), network intrusion detection Chen et al. (2024); Adjei et al. (2024), and anomaly detection in system logs or user behavior Hussein and Sándor (2024); Pan et al. (2024). Our work specifically leverages these advanced AI agents to perform semantic reasoning over structured and semi-structured forensic data derived from memory dumps. Unlike previous AI applications that primarily focused on classification or anomaly detection based on statistical patterns, we aim to interpret the holistic behavior of processes by feeding comprehensive forensic profiles (combining structured plugin outputs with linguistically filtered process memory strings) to LLMs. This approach allows the AI to move beyond merely identifying "what" artifacts are present to inferring "why" a process exhibited certain behaviors (e.g., credential scraping, data encoding, persistence mechanisms, or command-and-control communication). This represents a novel and significant application of LLMs in memory forensics, bridging low-level technical evidence with high-level semantic interpretation. By providing a framework for AI to reason over volatile memory artifacts, our methodology significantly enhances an analyst’s ability to understand process intent and behavior, even in the absence of source code or live observation, paving the way for scalable, automated, and intelligent analysis of volatile memory in modern forensic toolkits. Despite advancements, AI-assisted memory forensics faces significant challenges that limit its widespread adoption and effectiveness. These include: Limited availability of labeled datasets: There is a scarcity of high-quality, publicly available, and labeled datasets specific to volatile memory analysis for training robust AI models. This often necessitates resource-intensive manual labeling or the creation of synthetic datasets, which may not fully capture the complexity of real-world scenarios. Malware obfuscation and anti-forensics techniques: Sophisticated malware employs advanced obfuscation and anti-forensics techniques designed to evade detection and analysis, often altering memory artifacts at runtime or employing self-modifying code. This makes it challenging for static and even dynamic AI models to accurately identify malicious behaviors from memory snapshots. 7 Conclusion This work proposes a comprehensive five-phase framework for AI-assisted semantic reconstruction of process behavior from memory dumps. Leveraging Volatility 3 plugins, we systematically extracted and correlated both system-wide and process-specific forensic artifacts. These artifacts were organized into structured profiles enriched with linguistically filtered process memory strings. Through a cross-layer correlation strategy, behaviorally meaningful process representations were created and subsequently analyzed by advanced AI agents (ChatGPT and Gemini). Our experiments in a controlled Windows 11 environment using custom test programs demonstrate the effectiveness of this approach. We showed that even from a single memory snapshot, it is possible to infer what a process was doing—such as collecting credentials, encrypting files, preparing data for exfiltration, or simulating network activity. This work highlights a novel intersection between memory forensics and artificial intelligence. By bridging low-level memory evidence with high-level semantic interpre-tation, our methodology enhances analysts’ ability to understand process intent and behavior, even in the absence of source code or live observation. As AI tools continue to evolve, we anticipate this approach becoming an integral part of modern forensic toolkits, enabling scalable, automated, and intelligent analysis of volatile memory. Declarations Author Contribution Author Contributions All authors contributed to the study conception, experimental design, and manuscript review. M.I.A.-S. took the lead on all aspects of the research, including the framework implementation, development of the test programs, and the primary drafting of the manuscript. A.A. (Akram Alkouz) and A.A. (Abdulsalam Alarabeyyat) participated in the experimental analysis and the evaluation of the AI agent responses. All authors read and approved the final manuscript. References Adjei, P.O., Tetarave, S.K., John, C., et al.: Robust network anomaly detection with k-nearest neighbors (knn) enhanced digital twins. In: SoutheastCon 2024, IEEE, pp 421–426 (2024) Akeiber, H.J.: A comprehensive study of cybercrime and digital forensics through machine learning and ai. Al-Rafidain J. Eng. Sci. pp 369–395 (2025) Al-Khaleel, A., Bani-Salameh, D., Al-Saleh, M.I.: On the memory artifacts of the tor browser bundle. In: The International Conference on Computing Technology and Information Management (ICCTIM), Society of Digital Information and Wireless Communication, p 41 (2014) Al-Saleh, M.I., Al-Sharif, Z.A.: Utilizing data lifetime of tcp buffers in digital forensics: Empirical study. Digit. Invest. 9 (2), 119–124 (2012) Al-Saleh, M.I., Al-Sharif, Z.A., Alawneh, L.: Network reconnaissance investigation: A memory forensics approach. In: 2019 10th International Conference on Information and Communication Systems (ICICS), IEEE, pp 36–40 (2019) Al-Saleh, M.I., Qawasmeh, E., Al-Sharif, Z.A.: Utilizing debugging information of applications in memory forensics. J. Univers. Comput. Sci. 26 (7), 805–826 (2020) Al-Saleh, M.I., Alkouz, A., Alarabeyyat, A., et al.: Towards classifying file segments in memory using machine-learning. In: 2023 9th International Conference on Infor-mation Technology Trends (ITT), pp 44–49, (2023). https://doi.org/10.1109/ITT59889 . 2023.10184243 Al-Saleh, M.I., Alkouz, A., Alarabeyyat, A., et al.: On classifying memory contents at page-level granularity: machine-learning approach. Int. J. Electron. Secur. Digit. Forensics. (2025). https://doi.org/10.1504/IJESDF.2025.10064346 available online Beebe, N., Dietrich, G.: A new process model for text string searching. In: IFIP International Conference on Digital Forensics, Springer, pp 179–191 (2007) Beebe, N.L., Clark, J.G.: Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results. Digit. Invest. 4 , 49–54 (2007) Bugcheck, C.: Grepexec: Grepping executive objects from pool memory. In: Proc. Digital Forensic Research Workshop (2006) Chen, H., Shen, Z., Wang, Y., et al.: Threat detection driven by artificial intelligence. Enhancing cybersecurity with machine learning algorithms (2024) Cohen, M.: Scanning memory with yara. Digit. Invest. 20 , 34–43 (2017) Dolan-Gavitt, B.: The vad tree: A process-eye view of physical memory. Digit. Invest. 4 , 62–64 (2007) Dolan-Gavitt, B.: April Add support for inactive hiberfiles to hibinfo volatility-foundation/ volatility@552c1d8. (2009). https://github.com/volatilityfoundation/volatility/commit/552c1d813b05a0bf8d3d1ec1f64b3ba5f98403cc Gharaibeh, T., Baggili, I., Mahmoud, A.: On enhancing memory forensics with fame: Framework for advanced monitoring and execution. Forensic Sci. International: Digit. Invest. 49 , 301757 (2024) Graziano, M., Lanzi, A., Balzarotti, D.: Hypervisor memory forensics. In: Inter-national Workshop on Recent Advances in Intrusion Detection, pp. 21–40. Springer (2013) Hussein, S.A., Sándor, R.R.: anomaly detection in log files based on machine learning techniques. J. Electr. Syst. 20 (3s), 1299–1311 (2024) Inc, G.: Rekall memory forensic framework. (2017). http://www.rekall-forensic.com/ Inoue, H., Adelstein, F., Joyce, R.A.: Visualization in testing a volatile memory forensic tool. Digital Investigation 8(Supplement):S42–S51. URL (2011). http://linkinghub.elsevier.com/retrieve/pii/S1742287611000302 Lapso, J.A., Peterson, G.L., Okolica, J.S.: Whitelisting system state in windows forensic memory visualizations. Digit. Invest. 20 , 2–15 (2017) Law, F., Chan, P., Yiu, S.M., et al.: Identifying volatile data from multiple memory dumps in live forensics. In: IFIP International Conference on Digital Forensics, Springer, pp 185–194 (2010) Nissan, M.I., Wagner, J., Aktar, S.: Database memory forensics: A machine learning approach to reverse-engineer query activity. Forensic Sci. International: Digit. Invest. 44 , 301503 (2023) Nyholm, H., Monteith, K., Lyles, S., et al.: The evolution of volatile memory forensics. J. Cybersecur. Priv. 2 (3), 556–572 (2022) Oh, D.B., Kim, D., Kim, H.K.: volgpt: Evaluation on triaging ransomware process in memory forensics with large language model. Forensic Sci. International: Digit. Invest. 49 , 301756 (2024) Ohana, D.J., Shashidhar, N.: Do private and portable web browsers leave incrimi-nating evidence? a forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP J. Inform. Secur. 2013 (1), 6 (2013) Olajide, F., Savage, N., et al.: Application level evidence from volatile memory. J. Comput. Syst. Eng. 10 , 171–175 (2009) Otsuki, Y., Kawakoya, Y., Iwamura, M., et al.: Building stack traces from memory dump of windows x64. Digit. Invest. 24 , S101–S110 (2018) Ottmann, J., Breitinger, F., Freiling, F.: An experimental assessment of incon-sistencies in memory forensics. ACM Trans. Priv. Secur. 27 (1), 1–29 (2023) Pan, J., Liang, W.S., Yidi, Y.: Raglog: Log anomaly detection using retrieval augmented generation. In: 2024 IEEE World Forum on Public Safety Technology (WFPST), IEEE, pp 169–174 (2024) Pshoul, D.: community/dimapshoul at master volatilityfoundation/com-munity github. (2017). https://github.com/volatilityfoundation/community/tree/master/ DimaPshoul Pulley, C.: Github - carlpulley/volatility: A collection of volatility framework plugins. (2013). https://github.com/carlpulley/volatility Qawasmeh, E., Al-Saleh, M.I.: On producing events timeline for memory forensics: An experimental study. In: 2020 Seventh International Conference on Information Technology Trends (ITT), IEEE, pp 1–5 (2020) Qawasmeh, E., Al-Saleh, M.I., Al-Sharif, Z.A.: Towards a generic approach for memory forensics. In: 2019 Sixth HCT Information Technology Trends (ITT), IEEE, pp 094–098 (2019) Said, H., Al Mutawa, N., Al Awadhi, I., et al.: Forensic analysis of private browsing artifacts. In: 2011 International Conference on Innovations in Information Technology, IEEE, pp 197–202 (2011) Schuster, A.: Searching for processes and threads in microsoft windows memory dumps. Digit. Invest. 3 , 10–16 (2006) Schuster, A.: The impact of microsoft windows pool allocation strategies on memory forensics. Digital Investigation 5, Supplement(0):S58 – S64. https://doi.org/10.1016/j.diin.2008.05.007 , URL (2008a). http://www.sciencedirect.com/science/article/pii/S1742287608000339 , the Proceedings of the Eighth Annual DFRWS Conference Schuster, A.: The impact of microsoft windows pool allocation strategies on memory forensics. Digit. Invest. 5 , S58–S64 (2008b) Solomon, J., Huebner, E., Bem, D., et al.: User data persistence in physical memory. Digital Investigation 4(2):68–72. https://doi.org/10.1016/j.diin.2007.03.002 , URL (2007). http://www.sciencedirect.com/science/article/pii/S174228760700028X Sylve, J.T., Marziale, V., Richard, G.G. III: Modern windows hibernation file analysis. Digit. Invest. 20 , 16–22 (2017) Vinayakumar, R., Alazab, M., Soman, K., et al.: Robust intelligent malware detection using deep learning. IEEE access. 7 , 46717–46738 (2019) Walters, A.: The volatility framework: Volatile memory artifact extraction utility framework (2007) Walters, A., Petroni, N.L.: Volatools : Integrating volatile memory foren-sics into the digital investigation process. Digital Investigation pp 1–18. URL (2007). http://scholar.google.co.uk/scholar?q=volatools&hl=en&btnG=Search&as _ sdt = 2001&as_sdtp = on#0 Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Editorial decision: Revision requested 29 Mar, 2026 Reviews received at journal 28 Mar, 2026 Reviewers agreed at journal 28 Mar, 2026 Reviews received at journal 08 Mar, 2026 Reviews received at journal 22 Feb, 2026 Reviewers agreed at journal 11 Feb, 2026 Reviewers agreed at journal 08 Feb, 2026 Reviewers invited by journal 08 Feb, 2026 Editor assigned by journal 08 Feb, 2026 Submission checks completed at journal 09 Jan, 2026 First submitted to journal 08 Jan, 2026 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8554256","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":589679816,"identity":"0312de61-f0c9-4c4a-97b5-e853c2706680","order_by":0,"name":"Mohammed Al-Saleh","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA10lEQVRIiWNgGAWjYFAC5gYGhgKGBH4J4rUwArUYMCRIzgCzSNFicINYLbrtB5s//DCwyTO+3fz8AUONHQN/OwGdZmcS2yR7DNKKze4cM2xgOJbMIHHmAAEtBxLbGHgMDiduu5EDdBgbUPmNBAJazj9s/vjH4H/i5hkgLf8OMMjff0BAy43EBmkegwOJGySAWhjbDjAAw4GQlodt0jIGyYkzbqQZzkjsS+YxPEPQYcmHP76psEvsn5H84MOHb3ZycscPELAGBQDN5yFF/SgYBaNgFIwCHAAAwxhJyE2VPgwAAAAASUVORK5CYII=","orcid":"","institution":"Higher Colleges of Technology","correspondingAuthor":true,"prefix":"","firstName":"Mohammed","middleName":"","lastName":"Al-Saleh","suffix":""},{"id":589679817,"identity":"ddf4cde6-1cf8-4bbe-bf78-930ad96a67bf","order_by":1,"name":"Akram Alkouz","email":"","orcid":"","institution":"Higher Colleges of Technology","correspondingAuthor":false,"prefix":"","firstName":"Akram","middleName":"","lastName":"Alkouz","suffix":""},{"id":589679818,"identity":"da1227c5-26bc-4e0b-be15-d02fab8e944a","order_by":2,"name":"Abdulsalam Alarabeyyat","email":"","orcid":"","institution":"Higher Colleges of Technology","correspondingAuthor":false,"prefix":"","firstName":"Abdulsalam","middleName":"","lastName":"Alarabeyyat","suffix":""}],"badges":[],"createdAt":"2026-01-08 18:08:06","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8554256/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8554256/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":102494402,"identity":"55fe147b-c058-408e-9771-4cf292a21eba","added_by":"auto","created_at":"2026-02-12 09:23:04","extension":"jpeg","order_by":1,"title":"Figure 1","display":"","copyAsset":false,"role":"figure","size":210501,"visible":true,"origin":"","legend":"\u003cp\u003eInvestigation Model.\u003c/p\u003e","description":"","filename":"floatimage1.jpeg","url":"https://assets-eu.researchsquare.com/files/rs-8554256/v1/6c22e9210959d22429a1c3e7.jpeg"},{"id":102494400,"identity":"64198427-012d-44ce-abbf-12cbc61ee596","added_by":"auto","created_at":"2026-02-12 09:23:04","extension":"png","order_by":2,"title":"Figure 2","display":"","copyAsset":false,"role":"figure","size":383739,"visible":true,"origin":"","legend":"\u003cp\u003eOverview of the proposed five-phase memory analysis framework.\u003c/p\u003e","description":"","filename":"floatimage2.png","url":"https://assets-eu.researchsquare.com/files/rs-8554256/v1/82a329b3eb6172376d232699.png"},{"id":102494581,"identity":"7af13377-d335-4ce5-a04f-7de6b1b2b4e3","added_by":"auto","created_at":"2026-02-12 09:24:31","extension":"pdf","order_by":0,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":1692996,"visible":true,"origin":"","legend":"","description":"","filename":"manuscript.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8554256/v1/995eb8b7-ab31-48ee-8d3b-ef7c09962fc7.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps","fulltext":[{"header":"1 Introduction","content":"\u003cdiv class=\"BlockQuote\"\u003e\n \u003cp\u003eIn digital forensics and cybersecurity investigations, understanding the behavior of processes captured in memory dumps remains a key challenge. A memory dump offers a complete snapshot of the system state at a specific point in time, including artifacts such as active processes, open handles, loaded modules, and network connections. When disk artifacts are unavailable or have been tampered with, memory analysis becomes even more critical. However, despite the richness of this data, memory dumps are inherently raw and low-level, making direct interpretation difficult. Analysts are often required to manually connect artifacts from multiple layers of abstraction to determine what a process was doing and why. This becomes even more challenging when examining suspicious or unfamiliar binaries, where surface-level indicators may fail to expose deeper behavioral patterns. There is therefore a clear need for frameworks that can not only extract and organize memory-resident data, but also present it in a way that makes process behavior semantically clear and operationally useful.\u003c/p\u003e\n \u003cp\u003eEstablished memory forensics frameworks such as Volatility and Rekall have proven essential for retrieving raw artifacts from memory images, yet they primarily operate at a structural level\u0026mdash;reporting what exists without explaining its purpose. These tools can list processes, DLLs, open files, and network connections, but they leave the task of behavioral interpretation entirely to the analyst. Correlating results from multiple plugins and outputs across different files is time-consuming, error-prone, and difficult to scale in time-sensitive or large investigations. Furthermore, most traditional tools are rule- or signature-based, limiting their ability to detect novel or obfuscated activity. For example, identifying that a process injected code into another is possible, but understanding whether this indicates persistence, credential theft, or anti-debugging requires human reasoning. In effect, current practices emphasize data extraction over interpretation, leaving a gap in semantic and contextual analysis.\u003c/p\u003e\n \u003cp\u003eAdvances in large language models (LLMs) and AI agents present a promising opportunity to close this gap. Unlike deterministic tools that rely on predefined rules, AI systems such as ChatGPT and Gemini can process structured forensic data, interpret natural language, and reason over context-rich information. When provided with detailed process profiles\u0026mdash;covering hierarchies, loaded modules, file and network activity, and meaningful strings\u0026mdash;AI can infer roles, actions, and intent in ways that emulate expert reasoning. For example, a process that creates a scheduled task, writes a DLL to disk, and invokes regsvr32.exe could be recognized as establishing persistence. Insights like these are traditionally buried in raw data and require time-intensive manual analysis; AI enables this reasoning to be more scalable, consistent, and explainable.\u003c/p\u003e\n \u003cp\u003eTo address these limitations and make use of AI\u0026rsquo;s capabilities, we propose a five-phase framework for semantic reconstruction of process behavior from memory dumps. Built on top of Volatility 3, the framework systematically extracts, organizes, correlates, and interprets artifacts. In \u003cstrong\u003ePhase 1\u003c/strong\u003e, system-wide context is collected through selected Volatility 3 plugins, capturing elements such as active handles, open sockets, running services, and loaded kernel modules. \u003cstrong\u003ePhase 2\u003c/strong\u003e focuses on individual processes of interest, using targeted plugins (e.g., cmdline, envars, vadinfo, malfind) to compile detailed per-process data. Results from these first two phases are stored in a unified SQLite database. \u003cstrong\u003ePhase 3\u003c/strong\u003e applies a correlation engine to merge global and process-level views into cohesive profiles. \u003cstrong\u003ePhase 4\u003c/strong\u003e enriches each profile with strings extracted from private process memory, filtering them through a custom NLP-based model to remove noise and preserve meaningful English substrings. Finally, in \u003cstrong\u003ePhase 5\u003c/strong\u003e, the enriched profiles are provided to AI agents, which interpret the combined evidence to identify potential behaviors such as \u0026ldquo;network beaconing,\u0026rdquo; \u0026ldquo;file encryption,\u0026rdquo; or \u0026ldquo;credential scraping.\u0026rdquo; The modular nature of the framework allows it to be adapted to different investigative contexts, while the AI integration enables scalable, intelligent triage.\u003c/p\u003e\n \u003cp\u003eThe rest of this paper is organized as follows: Section 2 defines the investigation model. Section 3 describes the experimental setup. Section 4 presents the experimental results. Section 5 discusses implications, limitations, and future directions. Section 6 reviews related work in memory forensics and AI-assisted analysis. Finally, Section 7 concludes the paper.\u003c/p\u003e\n\u003c/div\u003e"},{"header":"2 Investigation Model","content":"\u003cp\u003eDigital forensic investigations often begin with limited visibility into the state of a compromised\u0026nbsp;system.\u0026nbsp;In\u0026nbsp;particular,\u0026nbsp;memory\u0026nbsp;dumps\u0026nbsp;provide\u0026nbsp;a\u0026nbsp;valuable\u0026nbsp;yet\u0026nbsp;complex snapshot\u0026nbsp;of\u0026nbsp;volatile\u0026nbsp;system\u0026nbsp;activity,\u0026nbsp;capturing\u0026nbsp;both\u0026nbsp;legitimate\u0026nbsp;and\u0026nbsp;potentially\u0026nbsp;malicious\u0026nbsp;processes\u0026nbsp;in\u0026nbsp;execution.\u0026nbsp;However,\u0026nbsp;these\u0026nbsp;raw\u0026nbsp;dumps\u0026nbsp;offer\u0026nbsp;little\u0026nbsp;semantic\u0026nbsp;clarity\u0026nbsp;without\u0026nbsp;considerable post-processing and expert interpretation.\u003c/p\u003e\n\u003cp\u003eWe consider a post-incident investigation scenario where the only evidence available is a full memory snapshot of a suspect Windows system. The investigator does not have access to the source code, logs, or any prior behavioral traces of the running applications. The primary objective is to understand the high-level behavior and intent of key processes that were running at the time of the memory capture. Specifically, the investigator seeks to answer questions such as:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003eWas\u0026nbsp;this\u0026nbsp;process\u0026nbsp;exfiltrating\u0026nbsp;data\u0026nbsp;or\u0026nbsp;collecting\u0026nbsp;credentials?\u003c/li\u003e\n \u003cli\u003eDid\u0026nbsp;it\u0026nbsp;interact\u0026nbsp;with\u0026nbsp;the\u0026nbsp;file\u0026nbsp;system\u0026nbsp;in\u0026nbsp;suspicious\u0026nbsp;ways?\u003c/li\u003e\n \u003cli\u003eWas\u0026nbsp;it\u0026nbsp;part\u0026nbsp;of\u0026nbsp;lateral\u0026nbsp;movement\u0026nbsp;or\u0026nbsp;persistent\u0026nbsp;activity?\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eTraditional\u0026nbsp;memory\u0026nbsp;forensics\u0026nbsp;tools\u0026nbsp;like\u0026nbsp;Volatility\u0026nbsp;3\u0026nbsp;offer\u0026nbsp;powerful\u0026nbsp;means\u0026nbsp;to\u0026nbsp;extract\u0026nbsp;low-level artifacts (e.g., open files, loaded DLLs, handles, environment variables). However,\u0026nbsp;interpreting\u0026nbsp;these\u0026nbsp;artifacts\u0026nbsp;into\u0026nbsp;coherent\u0026nbsp;behavioral\u0026nbsp;narratives\u0026nbsp;still\u0026nbsp;requires significant\u0026nbsp;human\u0026nbsp;effort\u0026nbsp;and\u0026nbsp;expertise.\u0026nbsp;Moreover,\u0026nbsp;artifacts\u0026nbsp;are\u0026nbsp;often\u0026nbsp;fragmented\u0026nbsp;and noisy, making semantic interpretation a non-trivial task.\u003c/p\u003e\n\u003cp\u003eOur investigation model is depicted in Figure 1. It outlines a sequential approach for investigating process behavior from memory dumps, incorporating AI-assisted semantic reconstruction.\u003c/p\u003e\n\u003cp\u003eThe\u0026nbsp;model\u0026nbsp;consists of\u0026nbsp;the following\u0026nbsp;steps:\u003c/p\u003e\n\u003col\u003e\n \u003cli\u003e\u003cstrong\u003eStart Investigation:\u0026nbsp;\u003c/strong\u003eThe forensic process begins with identifying a suspicious or compromised system that requires analysis. At this stage, the investigator prepares tools and defines the scope of what to extract and analyze.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eAcquire Memory Dump:\u0026nbsp;\u003c/strong\u003eUsing memory acquisition tools (e.g., DumpIt or FTK Imager), the investigator captures a snapshot of the system\u0026rsquo;s RAM while the machine is running. This step is critical, as volatile memory contains transient information such as running processes, network connections, in-memory credentials,\u0026nbsp;and system state that would otherwise be lost after shutdown.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eCreate List of All Processes:\u0026nbsp;\u003c/strong\u003eOnce\u0026nbsp;the\u0026nbsp;memory\u0026nbsp;dump\u0026nbsp;is\u0026nbsp;acquired,\u0026nbsp;a\u0026nbsp;preliminary analysis enumerates all running processes present in the memory image. This provides an overview of active executables.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eBuild Comprehensive Process Profile:\u0026nbsp;\u003c/strong\u003eAfter initial inspection, the investi-gator identifies suspicious or noteworthy processes based on indicators such as unusual names, parent-child relationships, or anomalous behavior. A detailed profile is then constructed for each selected process by extracting and correlating all relevant forensic artifacts. This includes memory structures, handles, loaded modules, privileges, timeline events, and strings, forming a rich and holistic view of the process\u0026rsquo;s behavior and interactions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003col start=\"5\"\u003e\n \u003cli\u003e\u003cstrong\u003eFeed Process Profile to AI:\u0026nbsp;\u003c/strong\u003eThe process profile is fed as input to an advanced AI agent (e.g., ChatGPT) with an appropriate prompt. This enables the AI to generate a high-level semantic interpretation of the process behavior.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eAI Produces Process Semantic Interpretation:\u0026nbsp;\u003c/strong\u003eThe AI analyzes the compre-hensive\u0026nbsp;profile\u0026nbsp;to\u0026nbsp;infer\u0026nbsp;high-level\u0026nbsp;semantic\u0026nbsp;insights\u0026nbsp;about\u0026nbsp;the\u0026nbsp;process\u0026rsquo;s\u0026nbsp;behavior. Instead of simply listing artifacts, the AI attempts to understand the intent and actions, such as \u0026ldquo;credential handling,\u0026rdquo; \u0026ldquo;data exfiltration,\u0026rdquo; \u0026ldquo;persistence mechanism,\u0026rdquo;\u0026nbsp;or\u0026nbsp;\u0026ldquo;network\u0026nbsp;communication,\u0026rdquo;\u0026nbsp;providing\u0026nbsp;a\u0026nbsp;meaningful\u0026nbsp;narrative\u0026nbsp;of\u0026nbsp;the\u0026nbsp;process\u0026rsquo;s activities.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eEnd Investigation / Further Analysis:\u0026nbsp;\u003c/strong\u003eThe semantic interpretation provided by the AI assists the digital investigator in understanding complex behaviors, accelerating the investigation, and potentially identifying malicious activities that might otherwise be missed or require extensive manual correlation. This can lead to concluding the investigation or initiating further, more targeted analysis based on the AI\u0026rsquo;s findings.\u003c/li\u003e\n\u003c/ol\u003e"},{"header":"3 Experimental Setup","content":"\u003cp\u003e \u003cb\u003e3.1 Virtual Environment\u003c/b\u003e \u003c/p\u003e \u003cp\u003eAll experiments were conducted within a controlled virtual environment to ensure reproducibility and isolation from external influences. Oracle VirtualBox was used to host a guest operating system configured as a typical Windows 11 workstation. The virtual machine was provisioned with the following specifications:\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eOperating System\u003c/b\u003e: Windows 11 (64-bit)\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eRAM\u003c/b\u003e: 4 GB\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eCPU\u003c/b\u003e: Dual-core virtual processor\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eDisk\u003c/b\u003e: 40 GB dynamically allocated virtual hard disk\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eThis setup allowed the creation and execution of custom programs simulating realistic system activity, followed by acquisition of full memory snapshots for forensic analysis.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cdiv id=\"Sec3\" class=\"Section2\"\u003e \u003ch2\u003e3.2 Design of Test Programs\u003c/h2\u003e \u003cp\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eTo simulate diverse and realistic process behaviors, six custom C\u0026thinsp;+\u0026thinsp;+\u0026thinsp;programs were developed for Windows. Each program was designed to emulate specific categories of benign or potentially suspicious system activities. The programs were compiled using Visual Studio Code with the MSVC toolchain and executed within the controlled Windows 11 virtual machine.\u003c/p\u003e \u003cp\u003eEach program was constructed to run for an extended duration, ensuring it remained active in memory during RAM acquisition. This was achieved by inserting explicit sleep statements near the end of the execution flow.\u003c/p\u003e \u003cp\u003eThe six programs and their behaviors are summarized as follows:\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003ecreds_collector.exe\u003c/b\u003e: Mimics credential harvesting by scanning environment variables and file paths for known sensitive patterns (e.g., keywords such as \u0026ldquo;pass-word\u0026rdquo; or \u0026ldquo;token\u0026rdquo;). Matching files are copied to a temporary location, simulating the collection of authentication artifacts during post-exploitation.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003edata_encoder.exe\u003c/b\u003e: Simulates data staging for exfiltration by reading local files,\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eapplying a Base64-style encoding to their contents, and writing the encoded data to new output files. No encryption or obfuscation beyond simple encoding is applied.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_writer.exe\u003c/b\u003e: Emulates periodic logging or beaconing by continuously writing\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003etimestamped entries to a log file. This simulates programs that track local activity, generate status updates, or leave audit trails.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003elog_parser.exe\u003c/b\u003e: Acts as a local log analysis tool by reading application logs,\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003esearching for lines matching specific patterns (e.g., error or warning keywords), and writing filtered results to a summary file, simulating diagnostics or security log triage.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003enetwork_simulator.exe\u003c/b\u003e: Mimics a network monitoring or generation tool by generating in-memory packet-like structures, serializing them to disk, and repeating this process without actual network communication. This simulates packet crafting or network telemetry logging behavior.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_encryptor_simulator.exe\u003c/b\u003e: Emulates ransomware behavior by recursively\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003escanning files in a target directory, Base64-encoding their contents, and writ-ing them to new files with altered filenames. While no real encryption occurs, the program simulates the file-renaming and transformation patterns typical of ransomware operations.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec4\" class=\"Section2\"\u003e \u003ch2\u003e3.3 Program Execution and Memory Acquisition\u003c/h2\u003e \u003cp\u003eAfter developing the six custom programs, they were compiled into Windows executa-bles and executed within the virtualized test environment. Each executable was stored in a dedicated directory and executed in parallel during the experiment, providing a variety of observable behaviors in memory.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eMemory acquisition was performed using \u003cb\u003eDumpIt\u003c/b\u003e, a lightweight, single-executable memory capture utility developed by Comae Technologies. DumpIt is specifically designed for live forensic response scenarios and is known for its minimal footprint on the target system. The tool combines driver and user-space components to perform full physical memory dumps without requiring installation or leaving persistent traces. Its streamlined execution makes it suitable for volatile evidence collection while minimizing the risk of contaminating memory content or altering process states.\u003c/p\u003e\u003cp\u003eDumpIt was executed from within the virtual machine. To facilitate data transfer, DumpIt, the resulting memory dump, and the six test programs were placed in a pre-configured \u003cb\u003eshared folder\u003c/b\u003e between the VM and the host operating system. This setup enabled seamless transfer of the captured memory image to the host system for further processing and analysis. The memory dump served as the central artifact for all subsequent phases of this research.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec5\" class=\"Section2\"\u003e \u003ch2\u003e3.4 Multi-Phase Memory Analysis Framework\u003c/h2\u003e \u003cp\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eAn overview of the five-phase memory analysis framework is illustrated in Fig.\u0026nbsp;\u003cspan refid=\"Fig2\" class=\"InternalRef\"\u003e2\u003c/span\u003e.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cdiv id=\"Sec6\" class=\"Section3\"\u003e \u003ch2\u003e3.4.1 Phase 1 (System-Wide Context Extraction)\u003c/h2\u003e \u003cp\u003eThe first phase of our framework focuses on collecting a comprehensive system-wide context from the captured memory image. This context provides foundational visibility into the operating system\u0026rsquo;s global state at the time of memory acquisition and includes details about active modules, kernel structures, services, handles, network artifacts, and more. By establishing this baseline, subsequent phases can link process-specific activities with broader system artifacts.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eWe utilize Volatility 3, a state-of-the-art open-source memory forensics framework, to extract this contextual information. Volatility 3 offers a rich set of plugins, each capable of parsing specific structures or subsystems in the memory image. In this phase, we select plugins that produce high-value artifacts relevant for semantic correlation. Examples include:\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003ewindows.pslist \u0026ndash; Lists active processes with metadata such as PID and start time.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.modules \u0026ndash; Displays loaded kernel modules and drivers.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.svcscan \u0026ndash; Extracts information about installed and running services.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.handles \u0026ndash; Lists open handles across the system.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.sessions \u0026ndash; Shows details about active user sessions.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.netstat \u0026ndash; Active TCP/UDP sockets.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.netscan \u0026ndash; Scanned network artifacts, including hidden sockets.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003etimeliner \u0026ndash; Compiles time-related artifacts from multiple sources.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eEach plugin\u0026rsquo;s output is parsed and stored in a dedicated table within a structured SQLite 3 database. This organization promotes efficient querying and lays the ground-work for cross-phase correlation. By adopting a relational schema, the system maintains meaningful links between artifacts, supports complex queries, and scales effectively to accommodate multiple processes. For example, a network socket observed in the global handle table may later be attributed to a specific process in Phase 2, enabling analysts or AI agents to draw high-level inferences about network-related behavior.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec7\" class=\"Section3\"\u003e \u003ch2\u003e3.4.2 Phase 2 (Process-Level Profiling)\u003c/h2\u003e \u003cp\u003eWhile Phase 1 focuses on global system structures, Phase 2 narrows the scope to extract process-specific information for a predefined set of target processes. Processes are identified based on their image names and process identifiers (PIDs) recovered during Phase 1.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eIn this phase, Volatility 3\u0026rsquo;s process-aware plugins are used to construct detailed profiles for each target process. Each plugin is executed independently for each PID of interest, and the output is stored in per-process tables within the same SQLite 3 database used in Phase 1. This ensures all data across phases remains accessible in a unified format.\u003c/p\u003e\u003cp\u003eThe following plugins were employed in this phase to extract per-process artifacts:\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003ewindows.cmdline \u0026ndash; Captures the full command-line string used to launch the process.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.envars \u0026ndash; Retrieves the process\u0026rsquo;s environment variables, which may\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eindicate system context or runtime configuration.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003ewindows.privileges \u0026ndash; Lists active security privileges, helping assess the process\u0026rsquo;s level of access.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.handles \u0026ndash; Displays handles opened by the process, including references\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eto files, registry keys, or synchronization objects.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003ewindows.dlllist \u0026ndash; Enumerates dynamically loaded DLLs, revealing runtime dependencies and functionality.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.ldrmodules \u0026ndash; Shows modules loaded through the loader, with flags\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eindicating mapping or initialization status.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003ewindows.vadinfo \u0026ndash; Lists memory regions allocated by the process, including access rights and backing files.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003ewindows.malfind \u0026ndash; Identifies suspicious or injected memory areas, useful for\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003edetecting stealthy code execution.\u003c/p\u003e \u003cp\u003eSome plugins in Volatility 3, such as windows.handles, serve both system-wide and process-specific roles. When run globally, windows.handles enumerates all handles opened across the system, providing a comprehensive view of object references by all processes. When scoped to a specific process, it filters output to show only handles opened by that process. This duality allows investigators to perform both high-level system analysis and focused per-process inspection, aiding identification of shared resources, suspicious cross-process access, or unauthorized handle duplication.\u003c/p\u003e \u003cp\u003eBy the end of Phase 2, each process is represented by a set of structured data capturing its execution context, memory layout, resource access, and indicators of privilege or anomaly. This collection is essential for the semantic correlation and reconstruction steps that follow.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec8\" class=\"Section3\"\u003e \u003ch2\u003e3.4.3 Phase 3 (Cross-Layer Correlation)\u003c/h2\u003e \u003cp\u003eThe third phase acts as a bridge between the system-wide insights obtained in Phase 1 and the process-centric views established in Phase 2. Its objective is to enrich each process profile with contextual information from the overall system state, enabling a more comprehensive understanding of process behavior.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eTo achieve this, structured correlations are performed between system-level tables and process-specific tables within the unified SQLite database. These correlations reveal relationships, dependencies, and behavioral patterns that are not apparent when analyzing data in isolation.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003cb\u003eCorrelation Strategy\u003c/b\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eA series of SQL queries are designed to associate process-level records with relevant entries from system-wide data based on shared attributes such as process identifier (PID), file paths, memory addresses, and service references. Each query produces insights that are merged into the process profiles to support semantic reconstruction.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cb\u003eExamples of Correlation Queries\u003c/b\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eTimeliner Process Events\u003c/b\u003e: Identify all timeline events explicitly mentioning the process.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eSELECT * FROM timeliner\u003c/p\u003e \u003cp\u003eWHERE Description LIKE '% Process 6404% ';\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eHelps reconstruct system-level actions (e.g., DLL loads, file access) attributed to the process.\u003c/p\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eService Handle Correlation\u003c/b\u003e: Match process-acquired handles to binary paths of running services to detect indirect interactions.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eSELECT s. Name AS ServiceName, s. Binary AS ServiceBinary, h.\u003c/p\u003e \u003cp\u003eName AS Handle Name FROM svcscan s\u003c/p\u003e \u003cp\u003eJOIN handles_pid_6404 h\u003c/p\u003e \u003cp\u003eON LOWER ( s. Binary ) LIKE '%' || LOWER ( h. Name ) || '%';\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eMay reveal indirect interactions with critical system services or binaries.\u003c/p\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eShared Handle Detection\u003c/b\u003e: Identify shared objects between the target process and other processes.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eSELECT DISTINCT h1. PID AS PID1, h2. PID AS PID2 ,\u003c/p\u003e \u003cp\u003eh1. Offset AS ObjectAddress, h1. Name AS Shared Resource, h1\u003c/p\u003e \u003cp\u003e. Type AS Resource Type FROM handles h1\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003eJOIN handles h2 ON h1. Offset\u0026thinsp;=\u0026thinsp;h2. Offset WHERE h1. PID = '6404 ' AND h2. PID != '6404 '\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eAND h1. Name IS NOT NULL ORDER BY h1. Offset, h2. PID ;\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eSuggests IPC, shared resources, or injection behavior.\u003c/p\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003ePost-Creation Timeline Filtering\u003c/b\u003e: Retrieve system events that occurred only after the process was created.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eSELECT [ Created Date ], Description FROM timeliner\u003c/p\u003e \u003cp\u003eWHERE [ Created Date ] \u0026gt; (\u003c/p\u003e \u003cp\u003eSELECT Create Time FROM pslist WHERE PID = '6404 '\u003c/p\u003e \u003cp\u003e);\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eReduces noise and isolates time-relevant activity.\u003c/p\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eMFT Entry Monitoring\u003c/b\u003e: Filter for file system-related events involving file creation or renaming.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eSELECT [ Created Date ], Description FROM timeliner\u003c/p\u003e \u003cp\u003eWHERE [ Created Date ] \u0026gt; (\u003c/p\u003e \u003cp\u003eSELECT Create Time FROM pslist WHERE PID = '6404 '\u003c/p\u003e \u003cp\u003e)\u003c/p\u003e \u003cp\u003eAND Description LIKE '% MFT FILE_NAME entry % ';\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eIndicates creation or renaming of files by correlating with MFT activity.\u003c/p\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003eNetwork Activity Extraction\u003c/b\u003e: List all socket connections associated with the process.\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eSELECT Created, Proto, LocalAddr, LocalPort, Foreign Addr, Foreign Port, State\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eFROM netstat\u003c/p\u003e\u003cp\u003eWHERE PID = '6404 ';\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003cstrong\u003eUsefulness\u003c/strong\u003e \u003cp\u003eHighlights potential command-and-control, download, or exfiltration behavior.\u003c/p\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec9\" class=\"Section3\"\u003e \u003ch2\u003e3.4.4 Phase 4 (Semantic Profile Generation and Filtering)\u003c/h2\u003e \u003cp\u003eAfter collecting process-specific data and performing system-level correlations, Phase 4 focuses on synthesizing this information into a structured, analyzable representation: the process semantic profile. This profile captures the observed behavior of a process as a combination of artifacts, relationships, timelines, and memory-resident strings.\u003c/p\u003e \u003cp\u003e \u003cb\u003eString Extraction and Filtering\u003c/b\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eIn parallel, memory dump files for each process are generated using procdump, which was placed in the pre-configured shared directory between the virtual machine and the host system. Each process was individually dumped using procdump prior to executing DumpIt to capture the full memory snapshot. The resulting dumps were then scanned using the Sysinternals strings utility. Both ASCII and UTF-16LE strings were extracted using the utility\u0026rsquo;s default behavior, capturing a broad range of meaningful content from the process\u0026rsquo;s address space.\u003c/p\u003e \u003cp\u003eSince raw strings include significant noise (e.g., memory padding, corrupted char-acters, or binary blobs), a custom filter based on English linguistic structure was implemented. This filtering process is designed to discard random or low-value strings while retaining likely meaningful content.\u003c/p\u003e \u003cp\u003eThe filtering uses a substring matching algorithm built upon the NLTK corpus of English words. A substring of three or more characters is considered valid if it appears in any English word. The following Python logic illustrates this approach:\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e\u003cp\u003e\u003cstrong\u003eListing 1:\u0026nbsp;\u003c/strong\u003ePython function to check for non-random strings\u003c/p\u003e\n\u003cp\u003edef is_non_random ( s):\u0026nbsp;s_lower\u0026nbsp;=\u0026nbsp;s. lower\u0026nbsp;()\u003c/p\u003e\n\u003cp\u003efor i in range\u0026nbsp;( len ( s_lower) - 2):\u003c/p\u003e\n\u003cp\u003eif s_lower[\u0026nbsp;i: i+3]\u0026nbsp;in valid_substrings\u0026nbsp;:\u0026nbsp;return\u0026nbsp;True\u003c/p\u003e\n\u003cp\u003ereturn False\u003c/p\u003e\u003cp\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eFiltered strings are stored separately for each process and later attached to the final semantic profile. This enriches the profile with natural-language clues potentially representing log messages, variable names, user inputs, or internal functionality.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cb\u003eAI-Ready Packaging\u003c/b\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eIn preparation for semantic interpretation, each process is represented by a compre-hensive AI-ready profile composed of:\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eStructured data combining process-specific information and correlated system-wide artifacts, collected into a JSON file.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eA filtered set of meaningful memory-resident strings derived from the process\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003edump, stored in a plain text file.\u003c/p\u003e \u003cp\u003eThis composite representation captures both structural and behavioral signals, providing a rich and condensed input format for AI agents to infer the semantic behavior of the process.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cb\u003eAutomation of Forensic Data Extraction and Profiling\u003c/b\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eTo support consistency, scalability, and reproducibility, a suite of automation scripts was developed covering the first three phases of the framework. In Phase 1, a script extracts system-wide forensic data using a predefined set of Volatility 3 plugins and stores the results into automatically created SQLite tables. Phase 2 includes a script that iterates over selected process IDs, runs process-specific plugins, and dynamically creates and populates per-process tables with the extracted data. In Phase 3, another script builds semantic profiles for each process by aggregating plugin outputs and executing correlation queries that combine system-wide and process-level information. All scripts handle table creation, data normalization, and insertion automatically, ensuring a fully repeatable pipeline from raw memory analysis to structured process profiling.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec10\" class=\"Section3\"\u003e \u003ch2\u003e3.4.5 Phase 5 (AI-Assisted Semantic Reconstruction)\u003c/h2\u003e \u003cp\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eIn the final phase, large language models (LLMs) are leveraged to perform semantic reasoning over the structured process profiles produced in Phase 4. The goal is to bridge the gap between raw forensic artifacts and a high-level understanding of process behavior, intent, and context.\u003c/p\u003e \u003cp\u003eThe profiles were tested with the following leading publicly available LLMs:\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003eChatGPT (based on OpenAI\u0026rsquo;s GPT-4 architecture),\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003eGemini (Google\u0026rsquo;s multi-modal agent 2.5 version).\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003eThese agents were selected for their strong comprehension abilities and capacity to analyze both structured JSON data and free text.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eEach AI agent is provided with the following inputs:\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cp\u003e \u003col\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eThe process\u0026rsquo;s semantic profile (in JSON format).\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eA list of filtered, meaningful strings extracted from the process memory.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003cspan\u003e \u003cli\u003e \u003cp\u003eAn instruction prompt directing the AI to interpret the behavior of the process, identify actions taken, and hypothesize the process\u0026rsquo;s purpose.\u003c/p\u003e \u003c/li\u003e \u003c/span\u003e \u003c/ol\u003e\u003cp\u003eYou\u0026nbsp;are\u0026nbsp;given:\u0026nbsp;A\u0026nbsp;JSON\u0026nbsp;process\u0026nbsp;profile\u0026nbsp;that\u0026nbsp;includes\u0026nbsp;runtime characteristics\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr;\u003c/em\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003elike privileges, command-line arguments, DLLs, handles, memory mappings,\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr; \u0026nbsp;\u003c/em\u003eand event timeline data. A text file containing memory strings related to\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr;\u003c/em\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003ethat process. From\u0026nbsp;this information, provide a concise summary\u0026nbsp;(2\u0026ndash;3\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr;\u0026nbsp;\u003c/em\u003esentences max) of the process\u0026rsquo;s likely behavior and purpose. Focus on what\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr; \u0026nbsp;\u003c/em\u003ethe process is doing, how it interacts with the system, and any indicators\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr; \u0026nbsp;\u003c/em\u003eof intent. Be accurate and avoid guessing;only include what can reasonably\u0026nbsp;\u003c/p\u003e\n\u003cp\u003e\u003cem\u003e\u0026apos;\u003c/em\u003e\u003cem\u003e\u0026rarr;\u003c/em\u003e\u003cem\u003e\u0026nbsp;\u003c/em\u003ebe inferred.\u003c/p\u003e\u003cp\u003eThis prompt is accompanied by the JSON profile and the string list provided as attachments.\u003c/p\u003e \u003cp\u003eThis final phase shows that with carefully prepared input, large language models can understand complex forensic evidence. Instead of replacing human analysts, these AI agents help investigations by finding patterns, behaviors, and possible threats more quickly and accurately.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003c/div\u003e"},{"header":"4 Results","content":"\u003cp\u003eThis section evaluates the effectiveness of AI agents in producing high-level semantic summaries of process behavior based on forensic profiles generated in the preceding phases. Rather than focusing on fine-grained details such as specific API calls or memory allocations, the emphasis is on the agents\u0026rsquo; ability to understand and abstract the overall purpose of a process\u0026mdash;for example, whether it acts as a credential stealer, log parser, file encrypter, and so forth.\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003eFor each process, the AI-generated abstract interpretation is compared against the known ground truth. The objective is to assess whether the AI agents can accurately infer the role of the process.\u003c/p\u003e\u003cp\u003eIt is important to emphasize that the proposed AI-assisted framework is not intended to replace traditional forensic techniques or manual expert analysis. Instead, it serves as a complementary layer, offering meaningful shortcuts and interpretive support. Given that AI responses are inherently non-deterministic and occasionally speculative, human oversight remains essential. The goal is to augment the analyst\u0026rsquo;s capabilities rather than to automate conclusions.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e \u003cdiv id=\"Sec12\" class=\"Section2\"\u003e \u003ch2\u003e4.1 ChatGPT\u003c/h2\u003e \u003cp\u003eThis subsection shows the high-level summaries produced by ChatGPT for each of the six processes. The summaries are based only on the structured process profile and the filtered strings from the process memory.\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003ecreds_collector.exe\u003c/b\u003e: ChatGPT recognized this process as a credential harvest-ing utility, citing its elevated privileges and interaction with authentication-related components. This closely matches its ground-truth behavior, which involves locating and copying files associated with stored credentials from the system.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003edata_encoder.exe\u003c/b\u003e: ChatGPT described this process as a data staging or trans-formation utility, likely involved in encoding data for later use. This interpretation aligns well with the program\u0026rsquo;s actual function of applying Base64 encoding to input files and saving the results as output.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_encryptor_simulator.exe\u003c/b\u003e: ChatGPT recognized this process as perform-\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eing or simulating file encryption, citing its use of cryptographic functions and interaction with the file system. This accurately reflects its intended role as a file encryption simulator designed to mimic ransomware-like behavior.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_writer.exe\u003c/b\u003e: ChatGPT described this process as a data persistence or logging\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eutility, based on its structured file-writing behavior. This aligns well with the program\u0026rsquo;s actual function of repeatedly writing timestamped binary data to disk.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003elog_parser.exe\u003c/b\u003e: ChatGPT identified this process as performing log parsing\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eand analysis, based on its interaction with log files and filtering behavior. This accurately reflects the program\u0026rsquo;s intended role of scanning logs and extracting relevant entries.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003enetwork_simulator.exe\u003c/b\u003e: ChatGPT described this process as a network behavior\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eemulator, highlighting its simulated socket activity and interaction with networking components. This matches the intended design of generating synthetic network-like behavior without real data transmission.\u003c/p\u003e \u003cp\u003eIn summary, across all six test cases, ChatGPT was able to infer accurate and semantically relevant summaries that reflected the original design goals of the processes. While it abstracted away implementation details, ChatGPT consistently captured the high-level purpose of each program. This confirms ChatGPT\u0026rsquo;s effectiveness in semantic reconstruction when guided by structured forensic inputs.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e \u003cdiv id=\"Sec13\" class=\"Section2\"\u003e \u003ch2\u003e4.2 Gemini Results\u003c/h2\u003e \u003cp\u003eThis subsection presents the high-level semantic interpretations provided by Gemini for each of the six profiled processes. Each interpretation is based solely on the structured process profile and process\u0026rsquo;s filtered strings.\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003ecreds_collector.exe\u003c/b\u003e: Gemini identified this process as a credential harvesting or management utility, citing associations with APIs such as CredProtectW, NCryptEncrypt, and LsaSetSecret. While these APIs were not explicitly called by the program, their presence in memory-resident strings or linked modules (e.g., advapi32.dll, sechost.dll) likely contributed to this inference. This reflects a common heuristic used by AI agents to associate security-related libraries and patterns with credential activity. Overall, the AI correctly abstracted the program\u0026rsquo;s intent: locating and copying files potentially containing sensitive user information.\u003c/p\u003e \u003c/li\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003edata_encoder.exe\u003c/b\u003e: Gemini interpreted this process as a data transformation or\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eencryption utility, primarily based on the presence of cryptographic libraries and memory-resident patterns resembling encoding behavior. While the program uses simple Base64 encoding rather than true encryption, the AI\u0026rsquo;s conclusion reflects the observable signs of data manipulation. Mentions of memory dump files and\u003c/p\u003e \u003cp\u003ereferences to other processes may have contributed to Gemini\u0026rsquo;s inference about inter-process interaction or data staging, even though the actual implementation does not perform such operations. Overall, the summary aligns with the core semantic function of preparing data in an obfuscated form.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_encryptor_simulator.exe\u003c/b\u003e: Gemini accurately described this process as\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eone performing file encryption and decryption, referencing the use of encryption-related APIs and suggesting potential data transfer capabilities. In reality, the program simulates ransomware-like behavior by recursively applying Base64 encoding to files and renaming them to mimic encryption, without using real cryptographic APIs. While it does not actually encrypt or transfer data, the AI\u0026rsquo;s abstraction captures the core semantic intent of simulating an encryption-based attack pattern.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003efile_writer.exe\u003c/b\u003e: Gemini described this process as performing file manipulation\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003c/p\u003e \u003cp\u003ewith cryptographic transformations and possible data transmission. In reality, the program periodically writes structured log-like entries to a file, without applying any encryption or transmitting data. While the AI correctly captured the persistence aspect of file writing, the inclusion of cryptographic and network implications overstates the actual implementation. Nonetheless, the abstraction partially aligns with the intended behavior of simulating repeated disk activity.\u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003elog_parser.exe\u003c/b\u003e: Gemini characterized this process as a system utility for log\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eanalysis and runtime data parsing, citing interactions with registry entries and temporary files. This interpretation aligns well with the ground truth, as the actual program reads local log files and filters specific entries into a summary file. While the AI abstracted the behavior to a broader diagnostic context, the core functionality of parsing and reducing log data was correctly captured.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003cp\u003e \u003cul\u003e \u003cli\u003e \u003cp\u003e \u003cb\u003enetwork_simulator.exe\u003c/b\u003e: Gemini abstracted this process as a network simulation\u003c/p\u003e \u003c/li\u003e \u003c/ul\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eutility that manages temporary files and diagnostic artifacts. This interpretation is consistent with the actual implementation, which generates in-memory packet-like structures and logs them to disk without performing real network communication. The AI\u0026rsquo;s summary appropriately captures the process\u0026rsquo;s high-level semantic intent while avoiding unnecessary focus on low-level execution specifics.\u003c/p\u003e \u003cp\u003eOverall, Gemini produces generally consistent high-level interpretations that align with the intended semantics of the tested processes. While it occasionally infers beyond observable behavior, its summaries reflect a reasonable understanding of process roles based on the available forensic inputs.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e \u003c/div\u003e"},{"header":"5 Discussion and Future Work","content":"\u003cp\u003eThis work presents a practical and effective framework for analyzing memory dumps using AI agents. By combining process-specific data, system-wide correlations, and filtered strings, the framework helps AI agents understand the behavior of individual processes in a clear and structured way. Extracting high-level semantic meaning from low-level forensic data is an important step toward making memory analysis more accessible and insightful. Our AI-assisted approach is not intended to replace\u003cdiv class=\"BlockQuote\"\u003e\u003cp\u003etraditional forensic methods or expert analysis but to complement them by providing high-level summaries that can speed up investigations. Because AI outputs can be non-deterministic or speculative, human oversight remains essential. The goal is to support analysts, not automate decisions.\u003c/p\u003e\u003cp\u003eThere are some limitations. The accuracy of results depends heavily on the com-pleteness of the memory dump. If a process ends before memory capture, important information may be missing. Memory dumps capture only a single point in time, so long-term or evolving behaviors cannot be observed. Some Volatility plugins may produce inconsistent or noisy data that requires cleanup and normalization. Large language models also have limitations: they sometimes guess or generate speculative answers, and their output can vary depending on the prompt.\u003c/p\u003e\u003cp\u003eSeveral improvements are possible. Capturing multiple memory snapshots over time would allow detection of behavior changes. Using automatic prompt generation based on profile content could reduce errors and improve consistency. Adding confidence scores for profile elements would help both humans and AI assess the reliability of information. Integrating external threat intelligence and tagging known patterns could provide useful context. Expanding support to Linux and macOS would increase applicability. Building a dataset of labeled processes and training a dedicated AI model could improve performance. Finally, introducing agentic AI with feedback loops would enable the system to refine its analysis over multiple rounds, making the output more accurate and context-aware.\u003c/p\u003e\u003c/div\u003e\u003c/p\u003e"},{"header":"6 Related Work","content":"\u003cp\u003eMemory\u0026nbsp;forensics,\u0026nbsp;also\u0026nbsp;known\u0026nbsp;as\u0026nbsp;volatile\u0026nbsp;memory\u0026nbsp;analysis,\u0026nbsp;has\u0026nbsp;become\u0026nbsp;a\u0026nbsp;vital\u0026nbsp;area\u0026nbsp;in digital forensics, offering access to runtime artifacts such as active processes, loaded modules,\u0026nbsp;and\u0026nbsp;network\u0026nbsp;connections\u0026nbsp;Nyholm et al. (2022);\u0026nbsp;Inoue et al. (2011);\u0026nbsp;Solomon et al.\u0026nbsp;(2007); Schuster\u0026nbsp;(2008a); Walters and Petroni\u0026nbsp;(2007); Al-Saleh et al.\u0026nbsp;(2023). Unlike\u0026nbsp;traditional\u0026nbsp;disk-based\u0026nbsp;analysis,\u0026nbsp;memory\u0026nbsp;forensics\u0026nbsp;allows\u0026nbsp;investigators\u0026nbsp;to\u0026nbsp;cap-ture transient data that might otherwise be lost upon shutdown. This capability is particularly significant for identifying stealthy malware, especially fileless threats that\u0026nbsp;operate solely in memory Qawasmeh et al.\u0026nbsp;(2019); Al-Saleh et al.\u0026nbsp;(2020); Qawasmeh and Al-Saleh\u0026nbsp;(2020).\u003c/p\u003e\n\u003cp\u003eSeveral studies have highlighted the critical nature of memory-resident information\u0026nbsp;for uncovering forensic evidence. For instance, Ottmann et al.\u0026nbsp;(2023) evaluated 360 memory dumps from a Linux system, revealing that nearly a third were incomplete and\u0026nbsp;almost\u0026nbsp;half\u0026nbsp;contained\u0026nbsp;inconsistencies\u0026nbsp;that\u0026nbsp;could\u0026nbsp;compromise\u0026nbsp;forensic\u0026nbsp;conclusions.\u0026nbsp;The authors proposed a new approach for estimating causal consistency and found that issues often correlated with system load and thread activity.\u003c/p\u003e\n\u003cp\u003eSpecialized tools have been developed to assist in extracting memory artifacts. GrepEXEC, introduced in Bugcheck (2006), enables the identification of executive structures like ETHREAD and EPROCESS based on unique signatures. Other works have applied text mining techniques to streamline the discovery of relevant forensic data Beebe and Dietrich (2007); Beebe and Clark (2007).\u003c/p\u003e\n\u003cp\u003eThe structure and behavior of Windows Virtual Address Descriptor (VAD) trees have also been leveraged in memory analysis, as demonstrated in Dolan-Gavitt (2007). Additionally, Schuster (2008b) examined how Windows pool allocation strategies impact memory forensic procedures. Enhancing the reliability of collected evidence, Law et al. (2010) advocated for acquiring memory across multiple snapshots to validate findings. Virtualization further increases the relevance of memory forensics. Graziano et al. (2013) proposed a set of methods for inspecting memory in virtualized environments, including the detection of hypervisors using Intel VT-x technology. Their extension to the Volatility framework Walters (2007) enables address space reconstruction of virtual machines. Similarly, Dolan-Gavitt (April 2009); Sylve et al. (2017) tackled the challenge of analyzing modern Windows hibernation files after Microsoft altered their structure, making existing tools ineffective.\u003c/p\u003e\n\u003cp\u003eMemory forensics also facilitates investigations into user activity. Research in Olajide et al. (2009) found that information from common applications could be recovered from memory, such as documents and webpages. Web browsing artifacts, even in private or incognito mode, were studied in Said et al. (2011); Ohana and Shashidhar (2013); Al-Khaleel et al. (2014), revealing residual data left behind in RAM. Additional capabilities such as call stack reconstruction have been implemented as Volatility plugins Pulley (2013); Pshoul (2017) and later adapted to the Rekall framework Otsuki et al. (2018); Inc (2017).\u003c/p\u003e\n\u003cp\u003eFrom an operational security perspective, memory forensics plays a key role in detecting malware and advanced persistent threats. Studies like Cohen\u0026nbsp;(2017) used YARA rules to identify malware patterns in memory, while Lapso et al. (2017) developed\u0026nbsp;visualization tools to assist forensic interpretation. More recently, memory analysis was\u0026nbsp;used in detecting network reconnaissance behaviors Al-Saleh et al.\u0026nbsp;(2019), and TCP buffer retention of critical data was demonstrated in Al-Saleh and Al-Sharif\u0026nbsp;(2012).\u003c/p\u003e\n\u003cp\u003eAs malware grows more evasive, AI-driven analysis has gained traction in memory forensics. Research shows that machine learning and deep learning techniques can assist in identifying malicious behaviors based on volatile memory characteristics Schuster (2006). Hybrid techniques combining dynamic analysis, memory inspection, and statistical modeling are increasingly seen as essential to addressing modern threats. The recent work \u003cem\u003evolGPT\u0026nbsp;\u003c/em\u003eOh et al. (2024) introduces a prompt-based LLM system to triage memory-resident processes for ransomware detection using Volatility plugins like pslist, vadinfo, and malfind. While their approach focuses on flagging suspicious processes through predefined prompts and plugin metadata, our work differs both in scope and depth. We propose a comprehensive five-phase framework for AI-assisted semantic reconstruction of process behavior, integrating system-wide context, per-process plugin data, linguistically filtered memory-resident strings, and LLM-driven reasoning. Unlike volGPT, which is tailored to ransomware detection, our framework generalizes to any process, benign or malicious, and produces structured profiles that support free-text semantic interpretation. Our approach not only enhances forensic visibility but also moves toward narrative-level behavioral reconstruction, offering richer insight into process intent beyond static triage.\u003c/p\u003e\n\u003cp\u003eRecent efforts to improve the performance of the Volatility Framework without altering\u0026nbsp;its\u0026nbsp;codebase\u0026nbsp;have\u0026nbsp;shown\u0026nbsp;that\u0026nbsp;PyPy\u0026nbsp;can\u0026nbsp;deliver\u0026nbsp;up\u0026nbsp;to\u0026nbsp;20%\u0026nbsp;performance\u0026nbsp;gains using a Docker-based setup and JIT alternatives Gharaibeh et al.\u0026nbsp;(2024).\u003c/p\u003e\n\u003cp\u003eIn their work, the authors proposed a forensic technique to infer recent database query\u0026nbsp;activity\u0026nbsp;from\u0026nbsp;memory\u0026nbsp;snapshots\u0026nbsp;of\u0026nbsp;DBMS\u0026nbsp;processes\u0026nbsp;by\u0026nbsp;extracting\u0026nbsp;byte-frequency\u0026nbsp;features from a memory region called the sort area fragment, and classifying query operations\u0026nbsp;using\u0026nbsp;support\u0026nbsp;vector\u0026nbsp;machines\u0026nbsp;(SVMs),\u0026nbsp;achieving\u0026nbsp;92%\u0026nbsp;accuracy\u0026nbsp;on\u0026nbsp;MySQL\u0026nbsp;and 90% on PostgreSQL Nissan et al.\u0026nbsp;(2023).\u003c/p\u003e\n\u003cp\u003eA machine learning approach for classifying memory contents at the page level has\u0026nbsp;been\u0026nbsp;proposed\u0026nbsp;to\u0026nbsp;aid\u0026nbsp;digital\u0026nbsp;media\u0026nbsp;triage\u0026nbsp;in\u0026nbsp;forensic\u0026nbsp;investigations\u0026nbsp;Al-Saleh et al.\u0026nbsp;(2025).\u003c/p\u003e\n\u003cp\u003eThe application of artificial intelligence (AI) and machine learning (ML) in digital forensics has gained significant traction, moving beyond traditional signature-based detection to more advanced anomaly detection, classification, and behavioral analy-sis Akeiber (2025). Early applications involved classic ML algorithms for tasks such as malware classification based on static or dynamic features Vinayakumar et al. (2019), network intrusion detection Chen et al. (2024); Adjei et al. (2024), and anomaly detection in system logs or user behavior Hussein and S\u0026aacute;ndor (2024); Pan et al. (2024). Our work specifically leverages these advanced AI agents to perform semantic reasoning over structured and semi-structured forensic data derived from memory dumps. Unlike previous AI applications that primarily focused on classification or anomaly detection based on statistical patterns, we aim to interpret the holistic behavior of processes by feeding comprehensive forensic profiles (combining structured plugin outputs with linguistically filtered process memory strings) to LLMs. This approach allows the AI to move beyond merely identifying \u0026quot;what\u0026quot; artifacts are present to inferring \u0026quot;why\u0026quot; a process exhibited certain behaviors (e.g., credential scraping, data encoding, persistence mechanisms, or command-and-control communication). This represents a novel and significant application of LLMs in memory forensics, bridging low-level technical evidence with high-level semantic interpretation. By providing a framework for AI to reason over volatile memory artifacts, our methodology significantly enhances an analyst\u0026rsquo;s ability to understand process intent and behavior, even in the absence of source code or live observation, paving the way for scalable, automated, and intelligent analysis of volatile memory in modern forensic toolkits.\u003c/p\u003e\n\u003cp\u003eDespite\u0026nbsp;advancements,\u0026nbsp;AI-assisted\u0026nbsp;memory\u0026nbsp;forensics\u0026nbsp;faces\u0026nbsp;significant\u0026nbsp;challenges that limit its widespread adoption and effectiveness. These include:\u003c/p\u003e\n\u003cul\u003e\n \u003cli\u003e\u003cstrong\u003eLimited availability of labeled datasets:\u0026nbsp;\u003c/strong\u003eThere is a scarcity of high-quality, publicly available, and labeled datasets specific to volatile memory analysis for training robust AI models. This often necessitates resource-intensive manual labeling or the creation of synthetic datasets, which may not fully capture the complexity of real-world scenarios.\u003c/li\u003e\n \u003cli\u003e\u003cstrong\u003eMalware obfuscation and anti-forensics techniques:\u0026nbsp;\u003c/strong\u003eSophisticated malware employs advanced obfuscation and anti-forensics techniques designed to evade detection and analysis, often altering memory artifacts at runtime or employing self-modifying code. This makes it challenging for static and even dynamic AI models to accurately identify malicious behaviors from memory snapshots.\u003c/li\u003e\n\u003c/ul\u003e"},{"header":"7 Conclusion","content":"\u003cp\u003e \u003cdiv class=\"BlockQuote\"\u003e \u003cp\u003eThis work proposes a comprehensive five-phase framework for AI-assisted semantic reconstruction of process behavior from memory dumps. Leveraging Volatility 3 plugins, we systematically extracted and correlated both system-wide and process-specific forensic artifacts. These artifacts were organized into structured profiles enriched with linguistically filtered process memory strings. Through a cross-layer correlation strategy, behaviorally meaningful process representations were created and subsequently analyzed by advanced AI agents (ChatGPT and Gemini).\u003c/p\u003e \u003cp\u003eOur experiments in a controlled Windows 11 environment using custom test programs demonstrate the effectiveness of this approach. We showed that even from a single memory snapshot, it is possible to infer what a process was doing\u0026mdash;such as collecting credentials, encrypting files, preparing data for exfiltration, or simulating network activity.\u003c/p\u003e \u003cp\u003eThis work highlights a novel intersection between memory forensics and artificial intelligence. By bridging low-level memory evidence with high-level semantic interpre-tation, our methodology enhances analysts\u0026rsquo; ability to understand process intent and behavior, even in the absence of source code or live observation. As AI tools continue to evolve, we anticipate this approach becoming an integral part of modern forensic toolkits, enabling scalable, automated, and intelligent analysis of volatile memory.\u003c/p\u003e \u003c/div\u003e \u003c/p\u003e"},{"header":"Declarations","content":"\u003ch2\u003eAuthor Contribution\u003c/h2\u003e\u003cp\u003eAuthor Contributions All authors contributed to the study conception, experimental design, and manuscript review. M.I.A.-S. took the lead on all aspects of the research, including the framework implementation, development of the test programs, and the primary drafting of the manuscript. A.A. (Akram Alkouz) and A.A. (Abdulsalam Alarabeyyat) participated in the experimental analysis and the evaluation of the AI agent responses. All authors read and approved the final manuscript.\u003c/p\u003e"},{"header":"References","content":"\u003col\u003e\u003cli\u003e\u003cspan\u003eAdjei, P.O., Tetarave, S.K., John, C., et al.: Robust network anomaly detection with k-nearest neighbors (knn) enhanced digital twins. In: SoutheastCon 2024, IEEE, pp 421\u0026ndash;426 (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAkeiber, H.J.: A comprehensive study of cybercrime and digital forensics through machine learning and ai. Al-Rafidain J. Eng. Sci. pp 369\u0026ndash;395 (2025)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Khaleel, A., Bani-Salameh, D., Al-Saleh, M.I.: On the memory artifacts of the tor browser bundle. In: The International Conference on Computing Technology and Information Management (ICCTIM), Society of Digital Information and Wireless Communication, p 41 (2014)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Saleh, M.I., Al-Sharif, Z.A.: Utilizing data lifetime of tcp buffers in digital forensics: Empirical study. Digit. Invest. \u003cb\u003e9\u003c/b\u003e(2), 119\u0026ndash;124 (2012)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Saleh, M.I., Al-Sharif, Z.A., Alawneh, L.: Network reconnaissance investigation: A memory forensics approach. In: 2019 10th International Conference on Information and Communication Systems (ICICS), IEEE, pp 36\u0026ndash;40 (2019)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Saleh, M.I., Qawasmeh, E., Al-Sharif, Z.A.: Utilizing debugging information of applications in memory forensics. J. Univers. Comput. Sci. \u003cb\u003e26\u003c/b\u003e(7), 805\u0026ndash;826 (2020)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Saleh, M.I., Alkouz, A., Alarabeyyat, A., et al.: Towards classifying file segments in memory using machine-learning. In: 2023 9th International Conference on Infor-mation Technology Trends (ITT), pp 44\u0026ndash;49, (2023). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1109/ITT59889\u003c/span\u003e\u003cspan address=\"10.1109/ITT59889\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e. 2023.10184243\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eAl-Saleh, M.I., Alkouz, A., Alarabeyyat, A., et al.: On classifying memory contents at page-level granularity: machine-learning approach. Int. J. Electron. Secur. Digit. Forensics. (2025). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1504/IJESDF.2025.10064346\u003c/span\u003e\u003cspan address=\"10.1504/IJESDF.2025.10064346\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e available online\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBeebe, N., Dietrich, G.: A new process model for text string searching. In: IFIP International Conference on Digital Forensics, Springer, pp 179\u0026ndash;191 (2007)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBeebe, N.L., Clark, J.G.: Digital forensic text string searching: Improving information retrieval effectiveness by thematically clustering search results. Digit. Invest. \u003cb\u003e4\u003c/b\u003e, 49\u0026ndash;54 (2007)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eBugcheck, C.: Grepexec: Grepping executive objects from pool memory. In: Proc. Digital Forensic Research Workshop (2006)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eChen, H., Shen, Z., Wang, Y., et al.: Threat detection driven by artificial intelligence. Enhancing cybersecurity with machine learning algorithms (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eCohen, M.: Scanning memory with yara. Digit. Invest. \u003cb\u003e20\u003c/b\u003e, 34\u0026ndash;43 (2017)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDolan-Gavitt, B.: The vad tree: A process-eye view of physical memory. Digit. Invest. \u003cb\u003e4\u003c/b\u003e, 62\u0026ndash;64 (2007)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eDolan-Gavitt, B.: April Add support for inactive hiberfiles to hibinfo volatility-foundation/ volatility@552c1d8. (2009). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://github.com/volatilityfoundation/volatility/commit/552c1d813b05a0bf8d3d1ec1f64b3ba5f98403cc\u003c/span\u003e\u003cspan address=\"https://github.com/volatilityfoundation/volatility/commit/552c1d813b05a0bf8d3d1ec1f64b3ba5f98403cc\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eGharaibeh, T., Baggili, I., Mahmoud, A.: On enhancing memory forensics with fame: Framework for advanced monitoring and execution. Forensic Sci. International: Digit. Invest. \u003cb\u003e49\u003c/b\u003e, 301757 (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eGraziano, M., Lanzi, A., Balzarotti, D.: Hypervisor memory forensics. In: Inter-national Workshop on Recent Advances in Intrusion Detection, pp. 21\u0026ndash;40. Springer (2013)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eHussein, S.A., S\u0026aacute;ndor, R.R.: anomaly detection in log files based on machine learning techniques. J. Electr. Syst. \u003cb\u003e20\u003c/b\u003e(3s), 1299\u0026ndash;1311 (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eInc, G.: Rekall memory forensic framework. (2017). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://www.rekall-forensic.com/\u003c/span\u003e\u003cspan address=\"http://www.rekall-forensic.com/\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eInoue, H., Adelstein, F., Joyce, R.A.: Visualization in testing a volatile memory forensic tool. Digital Investigation 8(Supplement):S42\u0026ndash;S51. URL (2011). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://linkinghub.elsevier.com/retrieve/pii/S1742287611000302\u003c/span\u003e\u003cspan address=\"http://linkinghub.elsevier.com/retrieve/pii/S1742287611000302\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLapso, J.A., Peterson, G.L., Okolica, J.S.: Whitelisting system state in windows forensic memory visualizations. Digit. Invest. \u003cb\u003e20\u003c/b\u003e, 2\u0026ndash;15 (2017)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eLaw, F., Chan, P., Yiu, S.M., et al.: Identifying volatile data from multiple memory dumps in live forensics. In: IFIP International Conference on Digital Forensics, Springer, pp 185\u0026ndash;194 (2010)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eNissan, M.I., Wagner, J., Aktar, S.: Database memory forensics: A machine learning approach to reverse-engineer query activity. Forensic Sci. International: Digit. Invest. \u003cb\u003e44\u003c/b\u003e, 301503 (2023)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eNyholm, H., Monteith, K., Lyles, S., et al.: The evolution of volatile memory forensics. J. Cybersecur. Priv. \u003cb\u003e2\u003c/b\u003e(3), 556\u0026ndash;572 (2022)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOh, D.B., Kim, D., Kim, H.K.: volgpt: Evaluation on triaging ransomware process in memory forensics with large language model. Forensic Sci. International: Digit. Invest. \u003cb\u003e49\u003c/b\u003e, 301756 (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOhana, D.J., Shashidhar, N.: Do private and portable web browsers leave incrimi-nating evidence? a forensic analysis of residual artifacts from private and portable web browsing sessions. EURASIP J. Inform. Secur. \u003cb\u003e2013\u003c/b\u003e(1), 6 (2013)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOlajide, F., Savage, N., et al.: Application level evidence from volatile memory. J. Comput. Syst. Eng. \u003cb\u003e10\u003c/b\u003e, 171\u0026ndash;175 (2009)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOtsuki, Y., Kawakoya, Y., Iwamura, M., et al.: Building stack traces from memory dump of windows x64. Digit. Invest. \u003cb\u003e24\u003c/b\u003e, S101\u0026ndash;S110 (2018)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eOttmann, J., Breitinger, F., Freiling, F.: An experimental assessment of incon-sistencies in memory forensics. ACM Trans. Priv. Secur. \u003cb\u003e27\u003c/b\u003e(1), 1\u0026ndash;29 (2023)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePan, J., Liang, W.S., Yidi, Y.: Raglog: Log anomaly detection using retrieval augmented generation. In: 2024 IEEE World Forum on Public Safety Technology (WFPST), IEEE, pp 169\u0026ndash;174 (2024)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePshoul, D.: community/dimapshoul at master volatilityfoundation/com-munity github. (2017). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://github.com/volatilityfoundation/community/tree/master/ DimaPshoul\u003c/span\u003e\u003cspan address=\"https://github.com/volatilityfoundation/community/tree/master/ DimaPshoul\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003ePulley, C.: Github - carlpulley/volatility: A collection of volatility framework plugins. (2013). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://github.com/carlpulley/volatility\u003c/span\u003e\u003cspan address=\"https://github.com/carlpulley/volatility\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eQawasmeh, E., Al-Saleh, M.I.: On producing events timeline for memory forensics: An experimental study. In: 2020 Seventh International Conference on Information Technology Trends (ITT), IEEE, pp 1\u0026ndash;5 (2020)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eQawasmeh, E., Al-Saleh, M.I., Al-Sharif, Z.A.: Towards a generic approach for memory forensics. In: 2019 Sixth HCT Information Technology Trends (ITT), IEEE, pp 094\u0026ndash;098 (2019)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSaid, H., Al Mutawa, N., Al Awadhi, I., et al.: Forensic analysis of private browsing artifacts. In: 2011 International Conference on Innovations in Information Technology, IEEE, pp 197\u0026ndash;202 (2011)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSchuster, A.: Searching for processes and threads in microsoft windows memory dumps. Digit. Invest. \u003cb\u003e3\u003c/b\u003e, 10\u0026ndash;16 (2006)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSchuster, A.: The impact of microsoft windows pool allocation strategies on memory forensics. Digital Investigation 5, Supplement(0):S58 \u0026ndash; S64. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1016/j.diin.2008.05.007\u003c/span\u003e\u003cspan address=\"10.1016/j.diin.2008.05.007\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e, URL (2008a). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://www.sciencedirect.com/science/article/pii/S1742287608000339\u003c/span\u003e\u003cspan address=\"http://www.sciencedirect.com/science/article/pii/S1742287608000339\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e, the Proceedings of the Eighth Annual DFRWS Conference\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSchuster, A.: The impact of microsoft windows pool allocation strategies on memory forensics. Digit. Invest. \u003cb\u003e5\u003c/b\u003e, S58\u0026ndash;S64 (2008b)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSolomon, J., Huebner, E., Bem, D., et al.: User data persistence in physical memory. Digital Investigation 4(2):68\u0026ndash;72. \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttps://doi.org/10.1016/j.diin.2007.03.002\u003c/span\u003e\u003cspan address=\"10.1016/j.diin.2007.03.002\" targettype=\"DOI\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e, URL (2007). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://www.sciencedirect.com/science/article/pii/S174228760700028X\u003c/span\u003e\u003cspan address=\"http://www.sciencedirect.com/science/article/pii/S174228760700028X\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eSylve, J.T., Marziale, V., Richard, G.G. III: Modern windows hibernation file analysis. Digit. Invest. \u003cb\u003e20\u003c/b\u003e, 16\u0026ndash;22 (2017)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eVinayakumar, R., Alazab, M., Soman, K., et al.: Robust intelligent malware detection using deep learning. IEEE access. \u003cb\u003e7\u003c/b\u003e, 46717\u0026ndash;46738 (2019)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWalters, A.: The volatility framework: Volatile memory artifact extraction utility framework (2007)\u003c/span\u003e\u003c/li\u003e \u003cli\u003e\u003cspan\u003eWalters, A., Petroni, N.L.: Volatools : Integrating volatile memory foren-sics into the digital investigation process. Digital Investigation pp 1\u0026ndash;18. URL (2007). \u003cspan class=\"ExternalRef\"\u003e\u003cspan class=\"RefSource\"\u003ehttp://scholar.google.co.uk/scholar?q=volatools\u0026amp;hl=en\u0026amp;btnG=Search\u0026amp;as\u003c/span\u003e\u003cspan address=\"http://scholar.google.co.uk/scholar?q=volatools\u0026amp;hl=en\u0026amp;btnG=Search\u0026amp;as\" targettype=\"URL\" class=\"RefTarget\"\u003e\u003c/span\u003e\u003c/span\u003e_ sdt\u0026thinsp;=\u0026thinsp;2001\u0026amp;as_sdtp\u0026thinsp;=\u0026thinsp;on#0\u003c/span\u003e\u003c/li\u003e\u003c/ol\u003e"}],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":true,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":true,"isAuthorSuppliedPdf":false,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":false,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"Memory forensics, process behavior analysis, semantic reconstruction, digital forensics, volatile memory analysis, Volatility 3, artificial intelligence, large language models, AI-assisted forensics, malware analysis, behavioral inference, process profiling","lastPublishedDoi":"10.21203/rs.3.rs-8554256/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8554256/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eUnderstanding process behavior from volatile memory dumps remains a significant challenge in digital forensics and malware analysis. Existing memory forensics tools primarily expose low-level artifacts, requiring extensive manual analysis to translate them into meaningful behavioral understanding. In this paper, we present a five-phase AI-assisted framework for the semantic reconstruction of process behavior from memory dumps. The framework leverages Volatility 3 plugins to collect system-wide and per-process artifacts, which are correlated into coherent process profiles. To enrich these profiles, the framework incorporates a natural language processing (NLP) pipeline that filters memory-resident strings to preserve forensic relevance. Large language model (LLM)\u0026ndash;based AI agents, such as ChatGPT and Gemini, subsequently perform semantic reasoning over these profiles to produce higher-level interpretations of process behavior. We evaluate the framework through controlled experiments using synthetic processes simulating both normal and suspicious activities. The experimental analysis illustrates how AI-assisted reasoning can assist investigators in deriving actionable forensic insights, demonstrating the potential of this approach to enhance memory forensics and malware analysis.\u003c/p\u003e","manuscriptTitle":"AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-02-12 09:22:54","doi":"10.21203/rs.3.rs-8554256/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"decision","content":"Revision requested","date":"2026-03-30T00:17:42+00:00","index":"","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-03-29T03:29:26+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"193327633881801882984508681142581386138","date":"2026-03-29T03:16:57+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-03-08T19:24:10+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-02-22T19:02:45+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"69368394094221842958895186401435903372","date":"2026-02-11T13:18:48+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"195086247007780994202371196309010918233","date":"2026-02-08T14:39:33+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2026-02-08T14:26:43+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2026-02-08T14:25:44+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2026-01-09T11:34:41+00:00","index":"","fulltext":""},{"type":"submitted","content":"Cluster Computing","date":"2026-01-08T17:49:10+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"cluster-computing","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"","sideBox":"Learn more about [Cluster Computing](https://www.springer.com/journal/10586)","snPcode":"10586","submissionUrl":"https://submission.nature.com/new-submission/10586/3","title":"Cluster Computing","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"cf66359d-108d-404a-869a-38f5a43f567a","owner":[],"postedDate":"February 12th, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[],"tags":[],"updatedAt":"2026-05-12T11:08:55+00:00","versionOfRecord":[],"versionCreatedAt":"2026-02-12 09:22:54","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8554256","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8554256","identity":"rs-8554256","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}

Text is read by the "Ask this paper" AI Q&A widget below. Extraction quality varies by source — PMC NXML preserves structure cleanly, OA-HTML may include some navigation residue, and OA-PDF can have broken hyphenation. The publisher copy (via DOI) is the canonical version.

My notes (saved in your browser only)

Ask this paper AI returns verbatim quotes from the full text · source: preprint-html

Answers must be backed by verbatim quotes from this paper's full text. Hallucinated quotes are dropped automatically; if no verbatim passage answers the question, we say so. How this works

Citation neighborhood (no data yet)

We don't have any in-corpus citations linked to this paper yet. This is a recent paper (2026) — citers typically take a year or two to land, and the OpenAlex reference graph may still be filling in.

Source provenance

europepmc
last seen: 2026-05-20T01:45:00.602351+00:00
unpaywall
last seen: 2026-05-20T11:00:21.680559+00:00
License: CC-BY-4.0