memory-forensics
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Best use case
memory-forensics is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
It is a strong fit for teams already working in Codex.
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Teams using memory-forensics should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/memory-forensics/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How memory-forensics Compares
| Feature / Agent | memory-forensics | Standard Approach |
|---|---|---|
| Platform Support | Codex | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Volatility 3 memory forensics workflows covering acquisition with LiME and WinPmem, and structured analysis using Volatility 3 plugin reference
Which AI agents support this skill?
This skill is designed for Codex.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
Related Guides
Cursor vs Codex for AI Workflows
Compare Cursor and Codex for AI coding workflows, repository assistance, debugging, refactoring, and reusable developer skills.
AI Agents for Coding
Browse AI agent skills for coding, debugging, testing, refactoring, code review, and developer workflows across Claude, Cursor, and Codex.
AI Agent for Product Research
Browse AI agent skills for product research, competitive analysis, customer discovery, and structured product decision support.
SKILL.md Source
# memory-forensics
Guides memory acquisition and analysis for both Linux and Windows targets. Acquisition uses LiME (Linux) or WinPmem (Windows). Analysis uses Volatility 3 with a structured plugin sequence covering process analysis, network connections, injected code detection, and rootkit indicators.
## Triggers
Alternate expressions and non-obvious activations (primary phrases are matched automatically from the skill description):
- "vol3" / "volatility" → Volatility 3 memory analysis
- "LSASS" → credential extraction analysis
- "memory dump" → volatile memory analysis
## Purpose
Memory forensics recovers volatile evidence unavailable on disk: running processes with no on-disk binary, injected shellcode, encryption keys, credential material, and network connections active at time of capture. This skill provides a repeatable acquisition and analysis workflow that produces structured findings from a raw memory image.
## Behavior
When triggered, this skill:
1. **Determine acquisition path**:
- If target OS is Linux: use LiME kernel module
- If target OS is Windows: use WinPmem
- If a memory image path is provided directly: skip acquisition and proceed to analysis
- Verify available disk space at output path before starting acquisition
2. **Linux memory acquisition with LiME**:
- Identify kernel version: `uname -r`
- Check for pre-built LiME module matching kernel, or note that one must be compiled:
```bash
# Compile LiME against the target kernel headers
make -C /lib/modules/$(uname -r)/build M=$(pwd) modules
```
- Load module and write to file (local) or network (to avoid writing to target disk):
```bash
# Write to file
insmod lime.ko "path=/mnt/evidence/memory.lime format=lime"
# Stream over network to examiner host
insmod lime.ko "path=tcp:4444 format=lime"
# On examiner: nc -l 4444 > memory.lime
```
- Record SHA-256 hash of acquired image immediately after capture
- Unload module: `rmmod lime`
3. **Windows memory acquisition with WinPmem**:
- Transfer `winpmem_multi_x64.exe` to target (verify hash before use)
- Acquire to file:
```
winpmem_multi_x64.exe memory.raw
```
- For large systems, use the `--split` option to produce chunked output
- Record SHA-256 hash of each output file
- Optionally stream directly to examiner host using WinPmem's network mode
4. **Volatility 3 environment setup**:
- Verify Volatility 3 is installed: `vol --version`
- Set image path variable for subsequent commands
- For Linux targets, provide the Volatility 3 ISF (Intermediate Symbol Format) symbol table; generate if not available using `dwarf2json`
- For Windows targets, Volatility 3 auto-selects symbols from its built-in PDB download capability
5. **Process analysis plugins**:
- `vol -f <image> windows.pslist` / `linux.pslist` — full process listing with parent relationships
- `vol -f <image> windows.pstree` / `linux.pstree` — tree view for spotting orphaned processes
- `vol -f <image> windows.psscan` — scan raw memory for EPROCESS structures (finds hidden processes not in list)
- Compare pslist vs psscan output to identify DKOM-hidden processes
6. **Code injection and malicious process detection**:
- `vol -f <image> windows.malfind` — find process memory regions with PAGE_EXECUTE_READWRITE and no backing file
- `vol -f <image> windows.dlllist --pid <pid>` — DLL list per process; compare against baseline
- `vol -f <image> windows.handles --pid <pid>` — open handles including files, registry keys, mutexes
- `vol -f <image> linux.proc_maps` — memory map for Linux processes; flag rwx anonymous mappings
7. **Network connection analysis**:
- `vol -f <image> windows.netstat` — active and recently closed TCP/UDP connections with owning process
- `vol -f <image> linux.sockstat` — Linux socket state
- Extract unique remote IPs and ports for IOC enrichment
8. **Persistence and rootkit indicators**:
- `vol -f <image> windows.svcscan` — Windows service list including those not in SCM
- `vol -f <image> windows.driverirp` — driver IRP hook detection
- `vol -f <image> windows.ssdt` — SSDT hook detection
- `vol -f <image> linux.check_syscall` — Linux syscall table hook detection
- `vol -f <image> linux.check_modules` — kernel module list integrity
9. **Credential and artifact extraction**:
- `vol -f <image> windows.hashdump` — extract NTLM hashes from SAM/SYSTEM
- `vol -f <image> windows.lsadump` — LSA secrets
- `vol -f <image> windows.cmdline` — command-line arguments for all processes
- `vol -f <image> windows.filescan` — file handles in memory (recovers paths of deleted files)
10. **Write findings document**:
- Save to `.aiwg/forensics/findings/<hostname>-memory.md`
- Include: image hash, acquisition metadata, suspicious processes, injection findings, network IOCs, rootkit indicators
## Usage Examples
### Example 1 — Analyze existing image
```
memory dump analysis /evidence/memory.lime
```
### Example 2 — Full acquisition and analysis
```
acquire memory from user@compromised-host.example.com
```
### Example 3 — Windows target
```
memory forensics windows /mnt/evidence/win-memory.raw
```
## Output Locations
- Findings: `.aiwg/forensics/findings/<hostname>-memory.md`
- Memory image: `.aiwg/forensics/evidence/<hostname>-memory.lime` (or `.raw`)
- Image hash: `.aiwg/forensics/evidence/<hostname>-memory.sha256`
- Volatility output: `.aiwg/forensics/evidence/<hostname>-volatility/`
## Configuration
```yaml
memory_forensics:
volatility_path: vol
lime_format: lime
winpmem_path: winpmem_multi_x64.exe
hash_algorithm: sha256
linux_symbol_path: /opt/volatility3/symbols/linux/
malfind_dump_vads: true
plugins:
windows:
- windows.pslist
- windows.psscan
- windows.pstree
- windows.malfind
- windows.netstat
- windows.svcscan
- windows.cmdline
- windows.dlllist
linux:
- linux.pslist
- linux.pstree
- linux.proc_maps
- linux.sockstat
- linux.check_syscall
- linux.check_modules
```
## References
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/volatility-order.md — Memory is the most volatile artifact; acquire before any disk or log collection
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/evidence-integrity.md — Hash memory image immediately after acquisition; record hash in custody log
- @$AIWG_ROOT/agentic/code/addons/aiwg-utils/rules/research-before-decision.md — Verify disk space, kernel version, and tool availability before starting acquisition
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/rules/red-flag-escalation.md — Escalate when malfind, DKOM-hidden processes, or SSDT hooks are found in memory
- @$AIWG_ROOT/agentic/code/frameworks/forensics-complete/skills/ioc-extraction/SKILL.md — Extract network IOCs from Volatility netstat/sockstat output for cross-referencingRelated Skills
supply-chain-forensics
SBOM analysis, build pipeline forensics, and dependency verification covering package integrity, build reproducibility, and CI/CD pipeline tampering
ralph-memory
Manage Al semantic memory entries — list, query, and clear lessons learned across loop iterations
memory-query-capture
Capture query synthesis as durable pages in semantic memory
memory-log-render
Generate a human-readable Markdown view from a consumer's JSON Lines event log
memory-log-append
Append a structured event to a consumer's semantic memory log
memory-ingest
Ingest a source into any consumer's semantic memory by reading the topology contract
linux-forensics
Generalized Linux incident response and forensic analysis covering Debian/Ubuntu, RHEL/CentOS/Rocky, and SUSE families
forensics-triage
Quick triage investigation following RFC 3227 volatility order
forensics-timeline
Build correlated event timeline from multiple sources
forensics-status
Show investigation status dashboard
forensics-report
Generate forensic investigation report
forensics-profile
Build target system profile via SSH or cloud API enumeration