This work proposes a novel approach that integrates general-purpose large language models (LLMs) into memory forensics to address the limitations of traditional methods, which rely heavily on expert interpretation of complex tool outputs, and existing automated techniques, which often lack interpretability and struggle to detect stealthy malware. By interfacing with forensic tools such as Volatility, the proposed framework processes full-memory or process-level dumps from both Windows and Android platforms, transforming raw analysis results into human-readable narratives. It automatically extracts high-fidelity indicators of compromise (IoCs), generates evidence-based correlations, and provides rationale for threat classification. Experimental evaluations demonstrate that this method yields a greater number of IoCs than state-of-the-art tools across diverse malware samples, significantly reducing analytical complexity while enhancing interpretability, practical utility, and human–machine collaboration in forensic investigations.

Memory forensics is an effective methodology for analyzing living-off-the-land malware, including threats that employ evasion, obfuscation, anti-analysis, and steganographic techniques. By capturing volatile system state, memory analysis enables the recovery of transient artifacts such as decrypted payloads, executed commands, credentials, and cryptographic keys that are often inaccessible through static or traditional dynamic analysis. While several automated models have been proposed for malware detection from memory, their outputs typically lack interpretability, and memory analysis still relies heavily on expert-driven inspection of complex tool outputs, such as those produced by Volatility. In this paper, we propose an explainable, AI-assisted memory forensics approach that leverages general-purpose large language models (LLMs) to interpret memory analysis outputs in a human-readable form and to automatically extract meaningful Indicators of Compromise (IoCs), in some circumstances detecting more IoCs than current state-of-the-art tools. We apply the proposed methodology to both Windows and Android malware, comparing full RAM acquisition with target-process memory dumping and highlighting their complementary forensic value. Furthermore, we demonstrate how LLMs can support both expert and non-expert analysts by explaining analysis results, correlating artifacts, and justifying malware classifications. Finally, we show that a human-in-the-loop workflow, assisted by LLMs during kernel-assisted setup and analysis, improves reproducibility and reduces operational complexity, thereby reinforcing the practical applicability of AI-driven memory forensics for modern malware investigations.