Volatility, a widely recognized open-source framework in the field of digital forensics, is specifically designed to extract and analyze volatile memory (RAM) from live systems. This powerful tool enables the examination of diverse memory artifacts, encompassing process activity, network connections, registry keys, and file system interactions. However, one limitation of volatility lies in its inability to determine the normalcy of processes. To address this gap, we have developed an additional component as an add-on to augment the framework’s capabilities. In this research paper, we propose a comprehensive framework for conducting forensic analysis of attacks, focusing on the behavioral aspects of processes. Our framework involves capturing a memory snapshot and subsequently comparing the behavior of processes during normal operation with their behavior when an attack occurs. By employing this method, we can discern anomalies, identify potential attacks, and gather valuable information about the attackers. Through our proposed framework, we have successfully achieved the identification of attacks and obtained crucial insights into the attacker’s activities.