conducting-memory-forensics-with-volatility

Installation
SKILL.md

Conducting Memory Forensics with Volatility

When to Use

  • An endpoint has been contained during an active incident and volatile evidence must be preserved
  • EDR alerts suggest process injection or fileless malware that only exists in memory
  • Encryption keys need to be recovered from a ransomware-infected system before shutdown
  • Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
  • A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient

Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.

Prerequisites

Installs
79
GitHub Stars
24.2K
First Seen
Mar 15, 2026
conducting-memory-forensics-with-volatility — mukul975/anthropic-cybersecurity-skills