Memory Forensics Volatility
Load this skill when analyzing RAM dumps with Volatility 2/3 for malware, credentials, injection, and incident timelines during response.
Overview
Memory Forensics — Volatility is an agent skill most often used in Operate (also Ship security) that delivers a Volatility 2/3 playbook for malware, credentials, injection, and IR timeline analysis on memory dumps.
Install
npx skills add https://github.com/yaklang/hack-skills --skill memory-forensics-volatilityWhat is this skill?
- Volatility 2 vs 3 command differences and plugin sequences
- Acquisition guidance including LiME on Linux
- Hidden processes, network connections, DLL/module and malfind injection checks
- Credential extraction, carving, registry, and timeline reconstruction
- Routes to PCAP, steganography, and privilege-escalation companion skills
Adoption & trust: 1.1k installs on skills.sh; 980 GitHub stars; 1/3 security scanners passed (skills.sh audits).
What problem does it solve?
You have a memory image but lack a reliable Vol2/Vol3 command order, malware indicators, and Linux-specific steps to explain what executed in RAM.
Who is it for?
Builders or responders with a memory dump who need Volatility expertise without guessing plugin order or OS profile steps.
Skip if: Live-only debugging, traffic-only PCAP review without memory, or beginners without shell access to run Volatility.
When should I use this skill?
Analyzing memory dumps for malware, credentials, process investigation, code injection, and incident response timeline reconstruction with Volatility 2/3.
What do I get? / Deliverables
You get a structured acquisition-to-timeline workflow with plugin sequences and cross-artifact routing for PCAP and related investigations.
- Investigation plugin sequence
- Timeline and artifact findings outline
Recommended Skills
Journey fit
Spans multiple journey phases - primary shelf plus alternate fits below.
Memory forensics is canonical on Operate when investigating production incidents, with strong ties to Ship security reviews after compromise signals. Errors covers incident triage and root-cause investigation where live disk alone is insufficient and memory artifacts explain what ran.
Where it fits
Rebuild an attack timeline from a production server RAM capture after suspicious process behavior.
Correlate memory-resident network connections with ongoing alert triage.
Validate injection and credential theft hypotheses before closing a security review ticket.
How it compares
Forensics playbook for offline RAM dumps, not a generic vulnerability scanner or EDR console replacement.
Common Questions / FAQ
Who is memory-forensics-volatility for?
Security-minded solo developers and IR practitioners analyzing Windows or Linux memory dumps with Volatility during malware or breach investigations.
When should I use memory-forensics-volatility?
In Operate during incident triage on dumps, and in Ship security when validating compromise hypotheses from RAM artifacts alongside disk and network evidence.
Is memory-forensics-volatility safe to install?
Check the Security Audits panel on this page; the skill implies shell and dump handling—only use in isolated analysis environments with trusted skill sources.
SKILL.md
READMESKILL.md - Memory Forensics Volatility
# SKILL: Memory Forensics — Expert Analysis Playbook > **AI LOAD INSTRUCTION**: Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis. ## 0. RELATED ROUTING Before going deep, consider loading: - [traffic-analysis-pcap](../traffic-analysis-pcap/SKILL.md) for correlating network artifacts with memory findings - [steganography-techniques](../steganography-techniques/SKILL.md) if hidden data suspected in extracted files - [windows-privilege-escalation](../windows-privilege-escalation/SKILL.md) for understanding post-exploitation artifacts in memory ### Quick Reference Also load [VOLATILITY_CHEATSHEET.md](./VOLATILITY_CHEATSHEET.md) when you need: - Vol2 vs Vol3 command comparison table - Common plugin sequences for specific investigation types --- ## 1. MEMORY ACQUISITION ### Linux ```bash # LiME (Linux Memory Extractor) — kernel module insmod lime.ko "path=/tmp/mem.lime format=lime" # /proc/kcore (if available) dd if=/proc/kcore of=/tmp/mem.raw bs=1M # AVML (Microsoft's open-source) ./avml /tmp/mem.lime ``` ### Windows ```bash # WinPmem winpmem_mini_x64.exe memdump.raw # FTK Imager (GUI) — capture memory to file # DumpIt (single-click memory dump) DumpIt.exe # Comae (MagnetRAM) MagnetRAMCapture.exe /output memdump.raw ``` ### Virtual Machines ```bash # VMware: .vmem file in VM directory (suspend VM first) # VirtualBox: VBoxManage debugvm "VM_NAME" dumpvmcore --filename mem.raw # KVM/QEMU: virsh dump DOMAIN memdump --memory-only # Hyper-V: checkpoint VM → inspect .bin files ``` --- ## 2. VOLATILITY 2 vs 3 | Concept | Volatility 2 | Volatility 3 | |---|---|---| | Profile system | `--profile=Win10x64_19041` | Auto-detected (symbol tables) | | Image info | `imageinfo` | `windows.info` / `linux.info` | | Process list | `pslist` | `windows.pslist` | | Network | `netscan` / `connections` | `windows.netscan` / `windows.netstat` | | DLLs | `dlllist` | `windows.dlllist` | | Injection | `malfind` | `windows.malfind` | | Hashes | `hashdump` | `windows.hashdump` | | Files | `filescan` | `windows.filescan` | | Registry | `hivelist` / `printkey` | `windows.registry.hivelist` / `windows.registry.printkey` | | Install | `pip2 install volatility` | `pip3 install volatility3` | --- ## 3. ANALYSIS METHODOLOGY ### Step 1: Identify OS ```bash # Vol2 vol.py -f mem.raw imageinfo vol.py -f mem.raw kdbgscan # Vol3 vol -f mem.raw windows.info vol -f mem.raw banners.Banners ``` ### Step 2: Process Listing — Hidden Process Detection ```bash # Vol2 vol.py -f mem.raw --profile=PROFILE pslist # EPROCESS linked list vol.py -f mem.raw --profile=PROFILE psscan # pool tag scan (finds unlinked) vol.py -f mem.raw --profile=PROFILE pstree # parent-child hierarchy # Vol3 vol -f mem.raw windows.pslist vol -f mem.raw windows.psscan vol -f mem.raw windows.pstree ``` **Red flags**: Process in `psscan` but not `pslist` = DKOM (Direct Kernel Object Manipulation) hiding. ### Step 3: Network Connections ```bash # Vol2 vol.py -f mem.raw --profile=PROFILE netscan # TCP/UDP endpoints vol.py -f mem.raw --profile=PROFILE connections # XP/2003 only vol.py -f mem.raw --profile=PROFILE connscan # closed connections # Vol3 vol -f mem.raw windows.netscan vol -f mem.raw windows.netstat ``` ### Step 4: DLL / Module Analysis ```bash # Vol2 vol.py -f mem.raw --profile=PROFILE dlllist