BSidesLuxembourg 2026

Workshop description

What happens in memory, stays in memory! In this beginner workshop, we’ll take our first steps into the fascinating world of Linux Memory Forensics 😊.

This session will introduce the fundamentals of volatile memory, Linux memory management, with a touch on memory acquisition. We will then discover how to investigate memory artefacts and uncover traces of malicious behaviour through a simulated ransomware attack, from identifying suspicious processes and carving out binaries to recovering encryption keys from memory.

We will mostly use the Volatility framework, but this workshop will go beyond a simple command-line tutorial to explore the underlying principles: what are Volatility profiles and why do we need them, what are some interesting artefacts to look for, what to do when there is no command for what we are looking for, where do we even start looking, etc.

Who should attend?

Anyone who wants to discover digital forensics! This workshop won’t require extensive hacking knowledge, however knowing a bit about Linux will help.

Requirements

A laptop capable of running a virtual machine (or a native Linux environment), and a few gigabytes of free disk space (a memory dump can be quite heavy!). We might do a little bit of Python too! The VM will contain all the tools needed for the workshop. If you choose to use your own Linux environment instead, a setup guide will be provided.