Does this skill work with Volatility 2 or Volatility 3?

This skill is optimized for the Volatility 3 framework, though many of the conceptual workflows and acquisition techniques apply broadly to memory forensics.

How does it handle memory acquisition?

It provides commands for industry-standard tools like WinPmem, LiME, and osxpmem, ensuring you can capture memory with a minimal forensic footprint.

Can this skill help identify hidden malware in RAM?

Yes, it includes specific plugins and detection patterns for identifying 'malfind' indicators, process injection, and DKOM-based rootkit techniques.

Can I use YARA rules with this skill?

Absolutely. It includes guidance on writing memory-specific YARA rules and using the windows.yarascan plugin to search for signatures across process and kernel memory.

What platforms are supported by this forensics skill?

The skill provides techniques and tool commands for Windows, Linux, and macOS, as well as specific instructions for virtualized environments like VMware, VirtualBox, and QEMU.

Memory Forensics

Name: Memory Forensics
Author: as4584

byas4584

Security & Testing

Master memory acquisition and forensic analysis to investigate security incidents and analyze malware behavior from RAM captures.

About

The Memory Forensics skill provides comprehensive guidance for acquiring and analyzing memory dumps across Windows, Linux, and macOS environments. It focuses on the Volatility 3 framework, offering structured workflows for process analysis, network connection reconstruction, and registry artifact extraction. Whether you are investigating a security breach or reverse-engineering sophisticated malware, this skill helps you identify hidden processes, detect code injection, and perform automated YARA scans to uncover memory-resident threats that traditional disk forensics might miss.

Key Features

Multi-platform memory acquisition guidance for Windows, Linux, macOS, and Virtual Machines
Advanced detection patterns for process hollowing, DLL injection, and rootkits
Detailed reference for kernel data structures including EPROCESS, PEB, and VAD
0 GitHub stars
Comprehensive Volatility 3 plugin library for deep-dive artifact extraction
Integrated YARA scanning techniques for memory-resident malware identification

Use Cases

Conducting post-compromise incident response to identify malicious activity and persistence
Performing advanced malware analysis to understand runtime behavior and shellcode execution
Hunting for rootkits and hidden processes that are invisible to the standard operating system

About

Key Features

Multi-platform memory acquisition guidance for Windows, Linux, macOS, and Virtual Machines
Advanced detection patterns for process hollowing, DLL injection, and rootkits
Detailed reference for kernel data structures including EPROCESS, PEB, and VAD
0 GitHub stars
Comprehensive Volatility 3 plugin library for deep-dive artifact extraction
Integrated YARA scanning techniques for memory-resident malware identification

Use Cases

Conducting post-compromise incident response to identify malicious activity and persistence
Performing advanced malware analysis to understand runtime behavior and shellcode execution
Hunting for rootkits and hidden processes that are invisible to the standard operating system