Back to Security & Vulnerability Analysis

memory-forensics

Name: memory-forensics
Author: W. Shobson

memory forensicsdigital forensicsincident responsemalware analysisvolatilitycybersecurityram analysisforensic tools

⭐ 36.8k📄 MIT🕒 2026-06-16Source ↗

Install this skill

npx skills add wshobson/agents

Works across Claude Code, Cursor, Codex, Copilot & Antigravity

Memory forensics involves the capture and investigation of volatile data from a system's RAM. By examining the current state of executing processes, active network connections, loaded DLLs, and kernel modules, investigators reconstruct system activity that does not persist on disk. This skill focuses on the Volatility 3 framework to inspect memory dumps from Windows, Linux, and macOS. It bridges the gap between active runtime analysis and static file investigation, allowing for the discovery of hidden malware, injected code, registry modifications, and persistence mechanisms. Practitioners use these techniques to isolate malicious indicators that disappear after a system reboot. Mastery of these methods requires understanding system-level data structures and translating binary memory artifacts into actionable incident response timelines or malware behavioral reports.

When to Use This Skill

•Detecting fileless malware that resides solely in RAM
•Identifying persistence mechanisms like unauthorized run keys
•Recovering deleted or obscured file paths from memory
•Investigating lateral movement via active network socket analysis

How to Invoke This Skill

Example prompts that trigger this skill in Claude Code, Cursor, or Antigravity:

“Analyze this memory dump for malicious processes
“Find hidden network connections in this RAM image
“Extract command line history from the memory file
“Check for injected code in this memory capture
“Identify persistence triggers using memory forensics

Pro Tips

💡Always ensure you have proper legal authorization and adhere to chain of custody protocols when acquiring memory dumps in real-world investigations.
💡Combine memory forensics with disk forensics to build a comprehensive timeline of events and correlate in-memory artifacts with on-disk persistence mechanisms.
💡Leverage Volatility's extensive plugin ecosystem; for specific tasks, research and use specialized plugins to enhance artifact extraction and analysis capabilities.

What this skill does

•Extract and inspect live process trees and environment variables
•Identify code injection using VAD information and memory scanning
•Parse registry hives directly from volatile memory
•Reconstruct network connection history
•Automate YARA scanning against dumped memory segments

When not to use it

✕When you need historical disk data not currently loaded in memory
✕If the system has already been rebooted and data is lost
✕For simple file system tasks better suited for standard forensic imaging tools

Example workflow

Capture a raw memory image from the target machine
Run process enumeration plugins to identify anomalies
Scan for suspicious network sockets to confirm C2 activity
Inspect VAD nodes and map memory segments for injected DLLs
Dump malicious process modules for static analysis
Generate a forensic timeline to correlate events

Prerequisites

–A valid memory dump file (.raw, .vmem, .lime)
–Volatility 3 installed in the local environment
–System symbol tables or PDB files

Pitfalls & limitations

!Memory dumps contain vast amounts of noise requiring manual filtering
!Incorrect acquisition methods can overwrite volatile evidence
!Lack of appropriate symbol tables prevents effective analysis of kernel objects

FAQ

What is the difference between physical and virtual memory dumps?

Physical dumps contain the entire state of RAM, while virtual dumps are specific to a VM's captured state. Volatility 3 can handle both as long as the format is compatible.

Can I use Volatility 3 on a memory dump from a different OS?

You must use the specific layer plugins designed for the target OS, such as the windows, linux, or mac namespaces.

How do I deal with missing symbol tables?

Download the appropriate Intermediate Symbol Files (ISF) for your specific OS kernel version from the official Volatility foundation repository.

How it compares

Generic prompts often hallucinate OS internals, whereas this skill uses verified Volatility 3 command structures to query memory data blocks accurately.

Source & trust

⭐ 37k stars📄 MIT🕒 Updated 2026-06-16

View original skill on GitHub →

📄 Full skill instructions — original source: wshobson/agents

# Memory Forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

## Memory Acquisition

### Live Acquisition Tools

#### Windows

# WinPmem (Recommended)
winpmem_mini_x64.exe memory.raw

# DumpIt
DumpIt.exe

# Belkasoft RAM Capturer
# GUI-based, outputs raw format

# Magnet RAM Capture
# GUI-based, outputs raw format

#### Linux

# LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

# /dev/mem (limited, requires permissions)
sudo dd if=/dev/mem of=memory.raw bs=1M

# /proc/kcore (ELF format)
sudo cp /proc/kcore memory.elf

#### macOS

# osxpmem
sudo ./osxpmem -o memory.raw

# MacQuisition (commercial)

### Virtual Machine Memory

# VMware: .vmem file is raw memory
cp vm.vmem memory.raw

# VirtualBox: Use debug console
vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

# QEMU
virsh dump <domain> memory.raw --memory-only

# Hyper-V
# Checkpoint contains memory state

## Volatility 3 Framework

### Installation and Setup

# Install Volatility 3
pip install volatility3

# Install symbol tables (Windows)
# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

# Basic usage
vol -f memory.raw <plugin>

# With symbol path
vol -f memory.raw -s /path/to/symbols windows.pslist

### Essential Plugins

#### Process Analysis

# List processes
vol -f memory.raw windows.pslist

# Process tree (parent-child relationships)
vol -f memory.raw windows.pstree

# Hidden process detection
vol -f memory.raw windows.psscan

# Process memory dumps
vol -f memory.raw windows.memmap --pid <PID> --dump

# Process environment variables
vol -f memory.raw windows.envars --pid <PID>

# Command line arguments
vol -f memory.raw windows.cmdline

#### Network Analysis

# Network connections
vol -f memory.raw windows.netscan

# Network connection state
vol -f memory.raw windows.netstat

#### DLL and Module Analysis

# Loaded DLLs per process
vol -f memory.raw windows.dlllist --pid <PID>

# Find hidden/injected DLLs
vol -f memory.raw windows.ldrmodules

# Kernel modules
vol -f memory.raw windows.modules

# Module dumps
vol -f memory.raw windows.moddump --pid <PID>

#### Memory Injection Detection

# Detect code injection
vol -f memory.raw windows.malfind

# VAD (Virtual Address Descriptor) analysis
vol -f memory.raw windows.vadinfo --pid <PID>

# Dump suspicious memory regions
vol -f memory.raw windows.vadyarascan --yara-rules rules.yar

#### Registry Analysis

# List registry hives
vol -f memory.raw windows.registry.hivelist

# Print registry key
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Dump registry hive
vol -f memory.raw windows.registry.hivescan --dump

#### File System Artifacts

# Scan for file objects
vol -f memory.raw windows.filescan

# Dump files from memory
vol -f memory.raw windows.dumpfiles --pid <PID>

# MFT analysis
vol -f memory.raw windows.mftscan

### Linux Analysis

# Process listing
vol -f memory.raw linux.pslist

# Process tree
vol -f memory.raw linux.pstree

# Bash history
vol -f memory.raw linux.bash

# Network connections
vol -f memory.raw linux.sockstat

# Loaded kernel modules
vol -f memory.raw linux.lsmod

# Mount points
vol -f memory.raw linux.mount

# Environment variables
vol -f memory.raw linux.envars

### macOS Analysis

# Process listing
vol -f memory.raw mac.pslist

# Process tree
vol -f memory.raw mac.pstree

# Network connections
vol -f memory.raw mac.netstat

# Kernel extensions
vol -f memory.raw mac.lsmod

## Analysis Workflows

### Malware Analysis Workflow

# 1. Initial process survey
vol -f memory.raw windows.pstree > processes.txt
vol -f memory.raw windows.pslist > pslist.txt

# 2. Network connections
vol -f memory.raw windows.netscan > network.txt

# 3. Detect injection
vol -f memory.raw windows.malfind > malfind.txt

# 4. Analyze suspicious processes
vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.handles --pid <PID>

# 5. Dump suspicious executables
vol -f memory.raw windows.pslist --pid <PID> --dump

# 6. Extract strings from dumps
strings -a pid.<PID>.exe > strings.txt

# 7. YARA scanning
vol -f memory.raw windows.yarascan --yara-rules malware.yar

### Incident Response Workflow

# 1. Timeline of events
vol -f memory.raw windows.timeliner > timeline.csv

# 2. User activity
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.consoles

# 3. Persistence mechanisms
vol -f memory.raw windows.registry.printkey \
    --key "Software\Microsoft\Windows\CurrentVersion\Run"

# 4. Services
vol -f memory.raw windows.svcscan

# 5. Scheduled tasks
vol -f memory.raw windows.scheduled_tasks

# 6. Recent files
vol -f memory.raw windows.filescan | grep -i "recent"

## Data Structures

### Windows Process Structures

// EPROCESS (Executive Process)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // Kernel process block
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // Process Environment Block
    // ...
} EPROCESS;

// PEB (Process Environment Block)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // Anti-debug check
    // ...
    PVOID ImageBaseAddress;          // Base address of executable
    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;

### VAD (Virtual Address Descriptor)

typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// Memory protection flags
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80

## Detection Patterns

### Process Injection Indicators

# Malfind indicators
# - PAGE_EXECUTE_READWRITE protection (suspicious)
# - MZ header in non-image VAD region
# - Shellcode patterns at allocation start

# Common injection techniques
# 1. Classic DLL Injection
#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

# 2. Process Hollowing
#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

# 3. APC Injection
#    - QueueUserAPC targeting alertable threads

# 4. Thread Execution Hijacking
#    - SuspendThread + SetThreadContext + ResumeThread

### Rootkit Detection

# Compare process lists
vol -f memory.raw windows.pslist > pslist.txt
vol -f memory.raw windows.psscan > psscan.txt
diff pslist.txt psscan.txt  # Hidden processes

# Check for DKOM (Direct Kernel Object Manipulation)
vol -f memory.raw windows.callbacks

# Detect hooked functions
vol -f memory.raw windows.ssdt  # System Service Descriptor Table

# Driver analysis
vol -f memory.raw windows.driverscan
vol -f memory.raw windows.driverirp

### Credential Extraction

# Dump hashes (requires hivelist first)
vol -f memory.raw windows.hashdump

# LSA secrets
vol -f memory.raw windows.lsadump

# Cached domain credentials
vol -f memory.raw windows.cachedump

# Mimikatz-style extraction
# Requires specific plugins/tools

## YARA Integration

### Writing Memory YARA Rules

rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}

### Scanning Memory

# Scan all process memory
vol -f memory.raw windows.yarascan --yara-rules rules.yar

# Scan specific process
vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

# Scan kernel memory
vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel

## String Analysis

### Extracting Strings

# Basic string extraction
strings -a memory.raw > all_strings.txt

# Unicode strings
strings -el memory.raw >> all_strings.txt

# Targeted extraction from process dump
vol -f memory.raw windows.memmap --pid 1234 --dump
strings -a pid.1234.dmp > process_strings.txt

# Pattern matching
grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt

### FLOSS for Obfuscated Strings

# FLOSS extracts obfuscated strings
floss malware.exe > floss_output.txt

# From memory dump
floss pid.1234.dmp

## Best Practices

### Acquisition Best Practices

1. **Minimize footprint**: Use lightweight acquisition tools
2. **Document everything**: Record time, tool, and hash of capture
3. **Verify integrity**: Hash memory dump immediately after capture
4. **Chain of custody**: Maintain proper forensic handling

### Analysis Best Practices

1. **Start broad**: Get overview before deep diving
2. **Cross-reference**: Use multiple plugins for same data
3. **Timeline correlation**: Correlate memory findings with disk/network
4. **Document findings**: Keep detailed notes and screenshots
5. **Validate results**: Verify findings through multiple methods

### Common Pitfalls

- **Stale data**: Memory is volatile, analyze promptly
- **Incomplete dumps**: Verify dump size matches expected RAM
- **Symbol issues**: Ensure correct symbol files for OS version
- **Smear**: Memory may change during acquisition
- **Encryption**: Some data may be encrypted in memory

By W. Shobson

How to Use This Skill Unit

Option A: Project-Specific (Recommended)

Click "Download" above
In your project, create the directory: .agent/skills/memory-forensics/
Save the file as SKILL.md
The agent will automatically discover the skill based on its description.

Option B: Global Installation (All Agents)

Save the file to these locations to make it available across all projects:

Claude Code: ~/.claude/skills/wshobson/agents/memory-forensics/SKILL.md
Cursor: ~/.cursor/skills/wshobson/agents/memory-forensics/SKILL.md
Antigravity: ~/.gemini/antigravity/skills/wshobson/agents/memory-forensics/SKILL.md

🚀 Install with CLI:
npx skills add wshobson/agents

Read the Master Guide: Mastering Agent Skills →

Recommended Rules

View more rules →

Recommended Workflows

View more workflows →

Debugging Infinite Re-renders

ReactDebuggingPerformance

--- description: Track down and fix infinite loops in useEffect and component rendering --- 1. **Check `useEffect` Dependencies**: - The most comm...

Ultimate Next.js SEO Setup

Next.jsSEOProduction

--- description: Complete checklist for sitemap, robots, manifest, and JSON-LD --- 1. **Metadata Base (Crucial)**: - In `src/app/layout.tsx`, defi...

Core Web Vitals Optimizer

PerformanceLCPCLS

--- description: Audit and fix LCP, CLS, and INP issues for better ranking --- 1. **Fix LCP (Large Contentful Paint)**: - The largest element (usu...

Recommended MCP Servers

View more MCP servers →

MalwareBazaar_MCP

Community

(by Kevin Thomas) - An AI-driven MCP server that autonomously interfaces with MalwareBazaar, delivering real-time threat intel and sample metadata for authorized cybersecurity research workflows.