Memory forensics is an effective methodology for analyzing living-off-the-land malware, including threats that employ evasion, obfuscation, anti-analysis, and steganographic techniques. By capturing volatile system state, memory analysis enables the recovery of transient artifacts such as decrypted payloads, executed commands, credentials, and cryptographic keys that are often inaccessible through static or traditional dynamic analysis. While several automated models have been proposed for malware detection from memory, their outputs typically lack interpretability, and memory analysis still relies heavily on expert-driven inspection of complex tool outputs, such as those produced by Volatility. In this paper, we propose an explainable, AI-assisted memory forensics approach that leverages general-purpose large language models (LLMs) to interpret memory analysis outputs in a human-readable form and to automatically extract meaningful Indicators of Compromise (IoCs), in some circumstances detecting more IoCs than current state-of-the-art tools. We apply the proposed methodology to both Windows and Android malware, comparing full RAM acquisition with target-process memory dumping and highlighting their complementary forensic value. Furthermore, we demonstrate how LLMs can support both expert and non-expert analysts by explaining analysis results, correlating artifacts, and justifying malware classifications. Finally, we show that a human-in-the-loop workflow, assisted by LLMs during kernel-assisted setup and analysis, improves reproducibility and reduces operational complexity, thereby reinforcing the practical applicability of AI-driven memory forensics for modern malware investigations.

翻译：内存取证是分析"就地取材"式恶意软件的有效方法，包括采用规避、混淆、反分析和隐写技术的威胁。通过捕获易失性系统状态，内存分析能够恢复静态分析或传统动态分析通常无法获取的瞬时痕迹，例如解密后的有效载荷、执行的命令、凭据和加密密钥。虽然已有多种自动化模型被提出用于从内存中检测恶意软件，但其输出通常缺乏可解释性，且内存分析仍严重依赖专家对复杂工具输出（如Volatility生成的输出）的人工检查。本文提出一种可解释的AI辅助内存取证方法，该方法利用通用大语言模型（LLMs）以人类可读的形式解释内存分析输出，并自动提取有意义的入侵指标（IoCs），在某些情况下能比当前最先进的工具检测到更多IoCs。我们将所提出的方法应用于Windows和Android恶意软件，比较完整RAM获取与目标进程内存转储，并强调二者互补的取证价值。此外，我们演示了LLMs如何通过解释分析结果、关联取证痕迹和论证恶意软件分类，同时支持专家和非专家分析人员。最后，我们展示了在基于内核的配置和分析阶段引入LLMs辅助的人机协同工作流程，能够提升结果可复现性并降低操作复杂度，从而增强AI驱动内存取证在现代恶意软件调查中的实际适用性。