memory-forensics
Installation
SKILL.md
memory-forensics
Purpose
This skill enables analysis of volatile memory dumps using tools like Volatility to identify malware, rootkits, and security breaches, supporting digital forensics investigations.
When to Use
Use this skill during incident response for suspected breaches, when analyzing RAM dumps from compromised systems, or for proactive security assessments on endpoints with potential malware infections.
Key Capabilities
- Parse memory dumps to extract processes, network connections, and injected code using Volatility's plugins.
- Detect hidden processes and rootkits via checks for process hollowing or DKOM (Direct Kernel Object Manipulation).
- Analyze hibernation files or pagefiles for artifacts like command history or encryption keys.
- Support for multiple dump formats, including raw, VMware, and crash dumps, with automated profile detection.
Usage Patterns
Invoke this skill via CLI commands in a Python script or directly in a terminal. Always specify the memory dump file and required plugins. For automation, wrap commands in a function that handles file paths and outputs. Use environment variables for API keys if extending to cloud-based forensics tools.