AI-Assisted Semantic Reconstruction of Process Behavior from Memory Dumps

Understanding process behavior from volatile memory dumps remains a significant challenge in digital forensics and malware analysis. Existing memory forensics tools primarily expose low-level artifacts, requiring extensive manual analysis to translate them into meaningful behavioral understanding. In this paper, we present a five-phase AI-assisted framework for the semantic reconstruction of process behavior from memory dumps. The framework leverages Volatility 3 plugins to collect system-wide and per-process artifacts, which are correlated into coherent process profiles. To enrich these profiles, the framework incorporates a natural language processing (NLP) pipeline that filters memory-resident strings to preserve forensic relevance. Large language model (LLM)–based AI agents, such as ChatGPT and Gemini, subsequently perform semantic reasoning over these profiles to produce higher-level interpretations of process behavior. We evaluate the framework through controlled experiments using synthetic processes simulating both normal and suspicious activities. The experimental analysis illustrates how AI-assisted reasoning can assist investigators in deriving actionable forensic insights, demonstrating the potential of this approach to enhance memory forensics and malware analysis.