conducting-memory-forensics-with-volatility
Installation
SKILL.md
Conducting Memory Forensics with Volatility
When to Use
- An endpoint has been contained during an active incident and volatile evidence must be preserved
- EDR alerts suggest process injection or fileless malware that only exists in memory
- Encryption keys need to be recovered from a ransomware-infected system before shutdown
- Credential theft (Mimikatz, LSASS dumping) is suspected and evidence must be confirmed
- A rootkit or kernel-level compromise is suspected and disk-based analysis is insufficient
Do not use for analyzing disk images or file system artifacts; use disk forensics tools (Autopsy, FTK) for those tasks.