2025/07/27/BelkaCTF-7-Volatility3-vs-MemProcFS

[giscus[bot]]

2025/07/27/BelkaCTF-7-Volatility3-vs-MemProcFS

I encountered an interesting situation during BelkaCTF 7. This is not a writeup for one of the challenges but will give the solution as part of examining the oddity I experienced. I’m hoping that someone might be able to shed some light on the reason for the difference or if I did something incorrectly. One of the challenges required dumping a process from memory for further analysis. What is baffling is that I’m pretty sure that Belkasoft X uses Volatility 3 for processing memory images. But using Volatility 3 manually did not work for me. I ended up getting the right answer with MemProcFS.

https://ogmini.github.io/2025/07/27/BelkaCTF-7-Volatility3-vs-MemProcFS.html

[spitfirerxf]

This is just a guess, but it's probably how each has different way of carving files.
Volatility's pslist carves based on the process allocation in the memory, as far as I know the system will allocate the memory every certain bytes or so. I don't know exactly how much, but it's probably like, let's say the file is 143byte, and the process stack is allocated every 4byte, so there will be a 144byte allocation with 1 excess byte.
Volatility's dumpfiles carves based on the cached file, could be from MFT resident, or the file is recently used and is stored somewhere in the filesystem cache.
While MemProcFs probably do the carving based on the file start and file end.

[ogmini]

Thanks, definitely some directions to explore. The paging size would make sense.