explainx.ainewsletter3.4k
conducting-memory-forensics-with-volatility

conducting-memory-forensics-with-volatility

mukul975/Anthropic-Cybersecurity-Skills · updated May 25, 2026

MDX-style export adds YAML metadata + attribution linking explainx.ai and this canonical listing URL.

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/conducting-memory-forensics-with-volatility
0 commentsdiscussion
summary

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

skill.md
name
conducting-memory-forensics-with-volatility
description
'Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition. '
domain
cybersecurity
subdomain
incident-response
tags
- memory-forensics - volatility - RAM-analysis - process-injection - DFIR
mitre_attack
- T1003 - T1055 - T1620 - T1574
version
1.0.0
author
mahipal
license
Apache-2.0
nist_csf
- RS.MA-01 - RS.MA-02 - RS.AN-03 - RC.RP-01

Conducting Memory Forensics with Volatility

When to Use

  • An endpoint has been contained during an active incident and volatile evidence must be preserved
  • EDR alerts suggest process injection or fileless malware that only exists in memory
  • Encryption keys need to be recovered from a ransomware-infected system before shutdown
  • Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
  • A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient

Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.

Prerequisites

  • Memory acquisition tool deployed or available: WinPmem, Magnet RAM Capture, DumpIt, or AVML (Linux)
  • Volatility 3 installed with Python 3.8+ and required symbol tables
  • Sufficient storage for memory dumps (equal to system RAM size, typically 8-64 GB)
  • YARA rules for malware detection in memory (Florian Roth's signature-base, custom rules)
  • Reference baseline of normal processes and DLLs for the OS version being analyzed
  • Chain of custody documentation for evidence handling

Workflow

Step 1: Acquire Memory Image

Capture RAM from the target system using a forensically sound method:

Windows (WinPmem):

winpmem_mini_x64.exe output.raw

Windows (Magnet RAM Capture):

MagnetRAMCapture.exe
# GUI-based, select output path, generates .raw file

Windows (DumpIt):

DumpIt.exe
# Creates memory dump in current directory automatically

Linux (AVML - Acquire Volatile Memory for Linux):

./avml output.lime

Document acquisition metadata:

Acquisition Record:
━━━━━━━━━━━━━━━━━
Target Host:      WKSTN-042
RAM Size:         16 GB
Dump File:        WKSTN-042_20251115_1445.raw
Dump Size:        16,843,612,160 bytes
SHA-256:          a4b3c2d1e5f6...
Acquisition Tool: WinPmem 4.0
Acquired By:      [Analyst Name]
Timestamp:        2025-11-15T14:45:00Z

Step 2: Identify the Operating System and Profile

Volatility 3 automatically identifies the OS, but verify:

# Get system information
vol -f WKSTN-042_20251115_1445.raw windows.info

# Output includes:
# OS: Windows 10 22H2 (Build 19045.3693)
# Kernel Base: 0xf8066c200000
# DTB: 0x1aa000
# Symbols: ntkrnlmp.pdb

Step 3: Analyze Running Processes

Examine the process tree for suspicious activity:

# List all running processes
vol -f memory.raw windows.pslist

# Show process tree (parent-child relationships)
vol -f memory.raw windows.pstree

# Scan for hidden/unlinked processes (rootkit detection)
vol -f memory.raw windows.psscan

# Compare pslist vs psscan to find hidden processes
# Processes in psscan but NOT in pslist may be hidden by rootkits

Key indicators of compromise in process analysis:

  • svchost.exe running without -k parameter or with wrong parent (should be services.exe)
  • csrss.exe or lsass.exe with abnormal parent process
  • Processes with misspelled names (scvhost.exe, lssas.exe)
  • Unusual processes spawned by outlook.exe, winword.exe, or excel.exe
  • Multiple instances of processes that should be singletons (lsass.exe, smss.exe)

Step 4: Investigate Network Connections

Extract active and recently closed network connections:

# List all network connections
vol -f memory.raw windows.netscan

# Focus output fields:
# Offset    Proto  LocalAddr     LocalPort  ForeignAddr    ForeignPort  State     PID  Owner
# 0xe10...  TCPv4  10.1.5.42     49721     185.220.101.42  443         ESTAB     3847  update.exe

Cross-reference suspicious connections with the process tree to identify C2 communications. Look for:

  • Connections to external IPs from unexpected processes
  • High port numbers connecting to port 443/80 from non-browser processes
  • Connections from svchost.exe or system processes to external IPs

Step 5: Detect Process Injection and Malware

Use malfind to identify injected code and memory-resident malware:

# Detect injected code in processes
vol -f memory.raw windows.malfind

# Output shows:
# PID  Process       Start      End        Tag  Protection  Hexdump/Disassembly
# 3847 explorer.exe  0x2a10000  0x2a14000  VadS PAGE_EXECUTE_READWRITE
# MZ header detected - injected PE

# Dump suspicious process memory
vol -f memory.raw windows.memmap --pid 3847 --dump

# List DLLs loaded by a suspicious process
vol -f memory.raw windows.dlllist --pid 3847

# Scan memory with YARA rules
vol -f memory.raw windows.yarascan --yara-file malware_rules.yar

Step 6: Extract Credentials and Artifacts

Recover sensitive data from memory:

# Dump registry hives from memory (for password hash extraction)
vol -f memory.raw windows.registry.hivelist
vol -f memory.raw windows.hashdump

# Extract command line history
vol -f memory.raw windows.cmdline

# List handles (files, registry keys, mutexes)
vol -f memory.raw windows.handles --pid 3847

# Extract clipboard contents
vol -f memory.raw windows.clipboard

# Dump cached files from memory
vol -f memory.raw windows.dumpfiles --pid 3847

Step 7: Generate Forensic Report

Compile findings into a structured analysis report documenting all evidence extracted from memory:

  • Process anomalies with PIDs, parent processes, and timestamps
  • Network connections with associated process context
  • Injected code regions with memory protection flags
  • Extracted IOCs (hashes, IPs, domains, mutexes, registry keys)
  • YARA rule matches with rule names and match offsets
  • Credential exposure (hashes found, accounts at risk)

Key Concepts

TermDefinition
Volatile EvidenceData that exists only in RAM and is lost when a system is powered off; includes running processes, network connections, encryption keys
Process InjectionTechnique where malware inserts code into a legitimate process's memory space to evade detection (malfind detects this)
EPROCESSWindows kernel data structure representing a process; psscan searches for these structures even when unlinked from the active process list
VAD (Virtual Address Descriptor)Windows kernel structure tracking memory regions allocated to a process; malfind examines VADs for executable but non-file-backed regions
Symbol TablesOS-specific data structures that Volatility 3 uses to parse memory; downloaded automatically based on detected OS version
PAGE_EXECUTE_READWRITEMemory protection flag indicating a region is readable, writable, and executable; common indicator of injected malicious code
Memory-Resident MalwareMalware that operates entirely in RAM without writing persistent files to disk, making it invisible to traditional disk-based antivirus

Tools & Systems

  • Volatility 3: Primary open-source memory forensics framework; Python 3 rewrite with automatic symbol resolution
  • WinPmem / DumpIt / Magnet RAM Capture: Memory acquisition tools for Windows systems
  • AVML (Acquire Volatile Memory for Linux): Microsoft's open-source Linux memory acquisition tool
  • YARA: Pattern matching engine for scanning memory dumps against malware signatures and behavioral rules
  • MemProcFS: Memory analysis tool that presents memory as a virtual file system for intuitive browsing

Common Scenarios

Scenario: Detecting Cobalt Strike Beacon in Memory

Context: EDR detects suspicious named pipe activity but cannot identify the source. A memory dump is acquired from the suspect endpoint for analysis.

Approach:

  1. Run windows.pstree to identify the process hierarchy and spot abnormal parent-child relationships
  2. Run windows.malfind to detect injected code regions, particularly in svchost.exe or rundll32.exe
  3. Dump the injected memory region and scan with YARA rules for Cobalt Strike beacon signatures
  4. Run windows.netscan to identify C2 connections and correlate with the injected process PID
  5. Extract the beacon configuration (C2 URLs, sleep time, jitter, watermark) using CobaltStrikeParser
  6. Run windows.cmdline to identify any post-exploitation commands executed

Pitfalls:

  • Analyzing only the process list without running malfind (missing injected code in legitimate processes)
  • Not capturing memory before isolating the endpoint (EDR containment may trigger malware self-deletion)
  • Using Volatility 2 profiles instead of Volatility 3 automatic symbol resolution on newer Windows versions

Output Format

MEMORY FORENSICS ANALYSIS REPORT
==================================
Incident:         INC-2025-1547
Evidence File:    WKSTN-042_20251115_1445.raw
SHA-256:          a4b3c2d1e5f6...
OS Identified:    Windows 10 22H2 (Build 19045)
Analysis Tool:    Volatility 3.2.0

PROCESS ANOMALIES
PID    Process         Parent       Anomaly
3847   update.exe      powershell   Suspicious executable in Temp directory
5102   svchost.exe     explorer     Wrong parent (expected services.exe)
---    [hidden]        ---          Found in psscan but not pslist

INJECTED CODE
PID    Process        Address Range        Protection              Finding
5102   svchost.exe    0x00A10000-0x00A14   PAGE_EXECUTE_READWRITE  MZ header (PE injection)

NETWORK CONNECTIONS
PID    Process      Local              Foreign             State
3847   update.exe   10.1.5.42:49721    185.220.101.42:443  ESTABLISHED
5102   svchost.exe  10.1.5.42:51003    91.215.85.17:8443   ESTABLISHED

YARA MATCHES
Rule: CobaltStrike_Beacon_x64
Match PID: 5102 (svchost.exe)
Offset: 0x00A10240

EXTRACTED IOCS
Hashes:     [SHA-256 of dumped injected code]
C2 IPs:     185.220.101.42, 91.215.85.17
C2 Domains: [extracted from beacon config]
Mutexes:    Global\MSCTF.Shared.MUTEX.ZRQ
how to use conducting-memory-forensics-with-volatility

How to use conducting-memory-forensics-with-volatility on Cursor

AI-first code editor with Composer

1

Prerequisites

Before installing skills in Cursor, ensure your development environment meets these requirements:

  • Cursor installed and configured on your development machine
  • Node.js version 16.0+ with npm package manager (verify with node --version)
  • Active project directory or workspace where you want to add conducting-memory-forensics-with-volatility
2

Execute installation command

Execute the skills CLI command in your project's root directory to begin installation:

$npx skills install mukul975/Anthropic-Cybersecurity-Skills/conducting-memory-forensics-with-volatility

The skills CLI fetches conducting-memory-forensics-with-volatility from GitHub repository mukul975/Anthropic-Cybersecurity-Skills and configures it for Cursor.

3

Select Cursor when prompted

The CLI will show a list of available agents. Use arrow keys to navigate and space to select Cursor:

◆ Which agents do you want to install to?
│ ── Universal (.agents/skills) ── always included ────
│ • Amp
│ • Antigravity
│ • Cline
│ • Codex
│ ●Cursor(selected)
│ • Cursor
│ • Windsurf
4

Verify installation

Confirm successful installation by checking the skill directory location:

.cursor/skills/conducting-memory-forensics-with-volatility

Reload or restart Cursor to activate conducting-memory-forensics-with-volatility. Access the skill through slash commands (e.g., /conducting-memory-forensics-with-volatility) or your agent's skill management interface.

Security & Verification Notice

We perform automated surface-level scans (Gen AI Scanner, Socket, Snyk) during installation. These checks detect common vulnerabilities but do not guarantee complete security. Always review skill source code and verify the publisher's reputation before production use.

Skills execute code in your development environment. Always verify the publisher's identity, review recent commits, and test in isolated environments before production deployment.

Additional Resources

View source code on GitHubSkills CLI documentationLearn more about CursorWhat are agent skills?

List & Monetize Your Skill

Submit your Claude Code skill and start earning

GET_STARTED →

Use Cases

Task Automation & Efficiency

Automate repetitive workflows and reduce manual effort

Example

Generate reports, summarize documents, draft communications

Save 3-5 hours per week on routine tasks

Knowledge Enhancement

Learn new skills, understand complex topics, get expert guidance

Example

Explain concepts, provide examples, suggest learning resources

Accelerate learning and skill development by 2x

Quality Improvement

Enhance output quality through reviews, suggestions, and refinements

Example

Review drafts, suggest improvements, catch errors

Improve work quality by 30-40% with less effort

Implementation Guide

Prerequisites

  • Claude Desktop or compatible AI client with skill support
  • Clear understanding of task or problem to solve
  • Willingness to iterate and refine outputs

Time Estimate

15-45 minutes depending on use case complexity

Installation Steps

  1. 1.Install skill using provided installation command
  2. 2.Test with simple use case relevant to your work
  3. 3.Evaluate output quality and relevance
  4. 4.Iterate on prompts to improve results
  5. 5.Integrate into regular workflow if valuable

Common Pitfalls

  • Expecting perfect results without iteration
  • Not providing enough context in prompts
  • Using skill for tasks outside its intended scope
  • Accepting outputs without review and validation

Best Practices

✓ Do

  • +Start with clear, specific prompts
  • +Provide relevant context and constraints
  • +Review and refine all outputs before using
  • +Iterate to improve output quality
  • +Document successful prompt patterns

✗ Don't

  • Don't use without understanding skill limitations
  • Don't skip validation of outputs
  • Don't share sensitive information in prompts
  • Don't expect skill to replace human judgment

💡 Pro Tips

  • Be specific about desired format and style
  • Ask for multiple options to choose from
  • Request explanations to understand reasoning
  • Combine AI efficiency with human expertise

When to Use This

✓ Use When

Use when skill capabilities match your task, clear ROI on time saved, and you can validate outputs. Best for repetitive tasks, learning, and quality improvement.

✗ Avoid When

Avoid when task requires deep expertise you can't validate, involves sensitive decisions, or when learning process is more valuable than speed of completion.

Learning Path

  1. 1Familiarize yourself with skill capabilities and limitations
  2. 2Start with low-risk, non-critical tasks
  3. 3Progress to more complex and valuable use cases
  4. 4Build expertise through regular use and experimentation

Discussion

Product Hunt–style comments (not star reviews)
  • No comments yet — start the thread.
general reviews

Ratings

4.668 reviews
  • Aanya Mensah· Dec 28, 2024

    conducting-memory-forensics-with-volatility fits our agent workflows well — practical, well scoped, and easy to wire into existing repos.

  • Neel Zhang· Dec 28, 2024

    We added conducting-memory-forensics-with-volatility from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Dhruvi Jain· Dec 8, 2024

    Registry listing for conducting-memory-forensics-with-volatility matched our evaluation — installs cleanly and behaves as described in the markdown.

  • Valentina Li· Dec 4, 2024

    conducting-memory-forensics-with-volatility reduced setup friction for our internal harness; good balance of opinion and flexibility.

  • Naina Haddad· Dec 4, 2024

    conducting-memory-forensics-with-volatility has been reliable in day-to-day use. Documentation quality is above average for community skills.

  • Camila Sanchez· Dec 4, 2024

    Useful defaults in conducting-memory-forensics-with-volatility — fewer surprises than typical one-off scripts, and it plays nicely with `npx skills` flows.

  • Naina Diallo· Dec 4, 2024

    Solid pick for teams standardizing on skills: conducting-memory-forensics-with-volatility is focused, and the summary matches what you get after install.

  • Oshnikdeep· Nov 27, 2024

    Solid pick for teams standardizing on skills: conducting-memory-forensics-with-volatility is focused, and the summary matches what you get after install.

  • Amelia Kapoor· Nov 23, 2024

    We added conducting-memory-forensics-with-volatility from the explainx registry; install was straightforward and the SKILL.md answered most questions upfront.

  • Luis Agarwal· Nov 23, 2024

    I recommend conducting-memory-forensics-with-volatility for anyone iterating fast on agent tooling; clear intent and a small, reviewable surface area.

showing 1-10 of 68

1 / 7