Smart Analyst for Memory Forensics - Full Volatility3 access plus high-level investigation tools. Run any vol3 plugin directly, or use intelligent analyzers for deeper insights.
This MCP provides two layers of functionality:
- Raw Vol3 Access - Run any Volatility3 plugin directly via
memory_run_plugin - Smart Analysis - High-level tools that correlate multiple plugins and apply detection logic
Use raw access when you need specific vol3 output. Use smart analysis tools for automated investigation:
| Question | Tool | Under the Hood |
|---|---|---|
| "Is this system compromised?" | memory_full_triage |
Runs all detection, produces executive summary |
| "What's hiding?" | memory_hunt_process_anomalies |
pslist vs psscan diff + parent-child validation |
| "Is there malware injected?" | memory_find_injected_code |
malfind + YARA signatures |
| "Who's talking to C2?" | memory_find_c2_connections |
netscan + process reputation |
| "What did attacker run?" | memory_get_command_history |
cmdscan + consoles aggregation |
| "Were creds dumped?" | memory_extract_credentials |
hashdump + lsadump |
| Project | Focus | Link |
|---|---|---|
| winforensics-mcp | Windows disk forensics - EVTX, Registry, MFT, Prefetch, Amcache, YARA, PCAP analysis | GitHub |
| mac_forensics-mcp | macOS DFIR - Unified Logs, FSEvents, Spotlight, Plists, SQLite databases, Extended Attributes | GitHub |
Use together for complete incident response across platforms.
# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
# Ensure Python 3.10+
python3 --versiongit clone https://github.com/x746b/memoryforensics-mcp.git
cd memoryforensics-mcp
# Option 1: Full install (recommended)
uv sync --extra full
# Option 2: Minimal with Volatility3 only
uv sync --extra volatility3
# Option 3: Add YARA support for malware signatures
uv sync --extra volatility3 --extra yarauv run python -m memoryforensics_mcp.server
# Should start without errors (Ctrl+C to exit)If you have Volatility3 installed elsewhere (e.g., /opt/volatility3), point to it via environment variable:
export VOLATILITY3_PATH="/opt/volatility3"
# Verify
uv run python -c "from memoryforensics_mcp.core import VOL3_AVAILABLE, VOL3_PATH; print(f'Vol3: {VOL3_AVAILABLE}, Path: {VOL3_PATH}')"Note: Vol3 plugin dependencies (pefile, pycryptodome) are installed automatically with
--extra volatility3or--extra full.
For malware signature detection, add YARA rules to rules/memory_yara/:
# Example: Add signature-base rules (Cobalt Strike, Meterpreter, etc.)
git clone https://github.com/Neo23x0/signature-base /tmp/signature-base
cp /tmp/signature-base/yara/apt_*.yar rules/memory_yara/
cp /tmp/signature-base/yara/mal_*.yar rules/memory_yara/
cp /tmp/signature-base/yara/gen_*.yar rules/memory_yara/Recommended rule sources:
- signature-base - APT & malware signatures
- YARA-Rules - Community rules
- Elastic protections - Elastic Security rules
claude mcp add memoryforensics-mcp \
--scope user \
-- uv run --directory /opt/memoryforensics-mcp python -m memoryforensics_mcp.serverIf you have Volatility3 installed elsewhere (e.g., /opt/volatility3):
claude mcp add memoryforensics-mcp \
--scope user \
-e VOLATILITY3_PATH=/opt/volatility3 \
-- uv run --directory /opt/memoryforensics-mcp python -m memoryforensics_mcp.servermemory_analyze_image(image_path="/evidence/memory.raw")
→ Auto-detects Windows/Linux, version, architecture. Creates analysis session.
memory_full_triage(image_path="/evidence/memory.raw")
→ Runs all detectors, produces executive summary with risk level, IOCs, and recommendations.
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=1234)
→ Direct access to any Volatility3 plugin for detailed analysis.
This example demonstrates analyzing a Windows memory dump from a compromised system.
memory_analyze_image(image_path="/evidence/memory.raw")
{
"session_id": "mem_4921f4ee3e5e",
"file_size_gb": 4.02,
"profile": {
"os": "Windows",
"version": "10",
"build": "19041",
"arch": "x64",
"system_time": "2024-09-05 16:01:34+00:00"
},
"ready": true
}Find suspicious processes with malfind:
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=3120)
{
"plugin": "windows.malfind.Malfind",
"result_count": 4,
"results": [
{
"PID": 3120,
"Process": "mmc.exe",
"Start VPN": 136118272,
"Protection": "PAGE_EXECUTE_READWRITE",
"Tag": "VadS"
}
]
}Get command line arguments:
memory_run_plugin(image_path="/evidence/memory.raw", plugin="cmdline", pid=3120)
{
"results": [
{
"PID": 3120,
"Process": "mmc.exe",
"Args": "\"C:\\Windows\\system32\\mmc.exe\" \"C:\\Users\\victim\\AppData\\Local\\Temp\\malicious.msc\""
}
]
}Scan for files in memory:
memory_run_plugin(image_path="/evidence/memory.raw", plugin="filescan")
{
"plugin": "windows.filescan.FileScan",
"result_count": 7612,
"results": [
{"Offset": 184189821978576, "Name": "\\Windows\\System32\\drivers\\http.sys"},
{"Offset": 184189829489552, "Name": "\\Users\\victim\\Downloads\\malware.zip"}
]
}Network connections:
memory_run_plugin(image_path="/evidence/memory.raw", plugin="netscan")
{
"result_count": 118,
"results": [
{
"Proto": "TCPv4",
"LocalAddr": "192.168.1.100",
"LocalPort": 63173,
"ForeignAddr": "185.220.101.1",
"ForeignPort": 443,
"State": "ESTABLISHED",
"PID": 7736,
"Owner": "dllhost.exe"
}
]
}Hunt for process anomalies (DKOM, unusual parents):
memory_hunt_process_anomalies(image_path="/evidence/memory.raw")
{
"total_processes": 115,
"anomalies_found": 3,
"anomalies": [
{
"pid": 7736,
"name": "dllhost.exe",
"ppid": 3120,
"parent_name": "mmc.exe",
"findings": [
{
"type": "UNUSUAL_PARENT",
"detail": "dllhost.exe should be spawned by svchost.exe, not mmc.exe",
"severity": "HIGH"
}
],
"risk_score": "HIGH"
}
],
"summary": "Found 3 anomalies (2 HIGH, 1 terminated)"
}Detect code injection:
memory_find_injected_code(image_path="/evidence/memory.raw", yara_scan=true)
{
"injections_found": 5,
"injections": [
{
"pid": 3120,
"process_name": "mmc.exe",
"vad_start": "0x7df481270000",
"vad_size": 65535,
"protection": "PAGE_EXECUTE_READWRITE",
"findings": [
{"type": "RWX_MEMORY", "detail": "Suspicious executable memory region", "severity": "HIGH"}
],
"risk_score": "HIGH"
},
{
"pid": 7736,
"process_name": "dllhost.exe",
"vad_start": "0x2c98bc20000",
"vad_size": 557055,
"protection": "PAGE_EXECUTE_READWRITE",
"findings": [
{"type": "RWX_MEMORY", "detail": "Suspicious executable memory region", "severity": "HIGH"},
{"type": "YARA_MATCH", "detail": "Cobalt Strike beacon detected", "severity": "CRITICAL", "yara_rule": "CobaltStrike_Beacon"}
],
"risk_score": "CRITICAL"
}
],
"summary": "Found 5 potential code injections (2 CRITICAL, 3 HIGH)"
}Find C2 connections:
memory_find_c2_connections(image_path="/evidence/memory.raw")
{
"suspicious_connections": 2,
"connections": [
{
"pid": 7736,
"process_name": "dllhost.exe",
"remote_addr": "185.220.101.1",
"remote_port": 8484,
"findings": [
{"type": "UNEXPECTED_NETWORK", "detail": "dllhost.exe should not make network connections", "severity": "HIGH"}
],
"risk_score": "HIGH"
}
]
}memory_full_triage(image_path="/evidence/memory.raw")
{
"risk_level": "HIGH",
"summary": {
"total_findings": 23,
"by_severity": {"HIGH": 17, "MEDIUM": 6},
"by_category": {"injection": 15, "network": 2, "process": 6}
},
"findings": [
{
"severity": "HIGH",
"category": "injection",
"title": "RWX_MEMORY: mmc.exe (PID 3120)",
"detail": "Memory region has PAGE_EXECUTE_READWRITE protection",
"iocs": [{"type": "pid", "value": "3120"}],
"recommendations": ["Dump injected memory from PID 3120", "Extract and analyze payload"]
},
{
"severity": "HIGH",
"category": "process",
"title": "UNUSUAL_PARENT: dllhost.exe (PID 7736)",
"detail": "Spawned by mmc.exe instead of svchost.exe",
"iocs": [{"type": "pid", "value": "7736"}]
}
],
"iocs": {
"ip": ["185.220.101.1"],
"pid": ["3120", "7736"],
"filename": ["mmc.exe", "dllhost.exe", "malicious.msc"]
},
"recommended_actions": [
"Dump and analyze injected processes: 3120, 7736",
"Block identified C2 IP addresses",
"Hunt IOCs on other systems"
]
}memory_list_plugins(image_path="/evidence/memory.raw")
{
"os_type": "windows",
"plugins": [
"pslist", "pstree", "psscan", "cmdline", "dlllist",
"malfind", "vadinfo", "handles", "filescan", "dumpfiles",
"netscan", "netstat", "registry", "hashdump", "lsadump",
"envars", "svcscan", "driverscan", "ssdt", "callbacks"
],
"total_count": 45
}Look up extracted IOCs (hashes, IPs, domains) on VirusTotal:
vt_lookup_hash(file_hash="4062963405cc71c032ca51ffd409e832120fcfd496969f4ef548774323c72413")
{
"hash": "4062963405cc71c032ca51ffd409e832120fcfd496969f4ef548774323c72413",
"hash_type": "sha256",
"found": true,
"verdict": "malicious",
"detection_ratio": "7/73",
"file_type": "Win32 EXE",
"file_size": 24576,
"names": ["SecurityCheck.exe"],
"tags": ["detect-debug-environment", "long-sleeps", "64bits"],
"md5": "d9038b19ef4aea05213e2f3e02745933"
}Also available: vt_lookup_ip, vt_lookup_domain, vt_lookup_file
| Tool | Description |
|---|---|
memory_run_plugin |
Run any vol3 plugin directly (e.g., pslist, malfind, netscan) |
memory_list_plugins |
List all available vol3 plugins for the detected OS |
memory_analyze_image |
Initialize memory dump, auto-detect OS profile |
memory_list_sessions |
List active analysis sessions |
memory_get_status |
Check Volatility3 availability |
Example - Raw plugin access:
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=3120)
| Tool | Description |
|---|---|
memory_hunt_process_anomalies |
Find hidden processes (DKOM), unusual parent-child relationships, suspicious process names |
memory_get_process_tree |
Process tree with suspicious highlighting based on Windows process rules |
| Tool | Description |
|---|---|
memory_find_injected_code |
Detect RWX memory, shellcode signatures, PE headers. YARA scanning supported |
memory_find_c2_connections |
Suspicious network connections correlated with process reputation |
| Tool | Description |
|---|---|
memory_get_command_history |
Recover attacker commands from cmd.exe, PowerShell. Analyzes for suspicious patterns |
memory_extract_credentials |
Extract NTLM hashes, LSA secrets, cached domain credentials |
| Tool | Description |
|---|---|
memory_full_triage |
Complete automated investigation with executive summary, prioritized findings, and IOCs |
| Tool | Description |
|---|---|
memory_dump_process |
Get process info, memory regions, loaded DLLs |
memory_dump_vad |
Examine specific VAD (memory region) details |
memory_list_dumpable_files |
List files cached in memory for extraction |
| Tool | Description |
|---|---|
vt_lookup_hash |
Look up file hash (MD5/SHA1/SHA256) for threat intel |
vt_lookup_ip |
Check IP reputation (ASN, country, verdicts) |
vt_lookup_domain |
Check domain reputation and categorization |
vt_lookup_file |
Hash local file and look up on VT |
Note: Requires
VIRUSTOTAL_API_KEYenv var or~/.config/winforensics-mcp/vt_api_keyfile (shared with winforensics-mcp).
These two MCP servers are designed to work together:
memoryforensics-mcp winforensics-mcp
│ │
│ memory_full_triage() │
│ └─► Extracts IOCs: │
│ - sha256: "abc123..." │
│ - C2 IP: "185.220.101.1" │
│ │
└──────────────────────────────────────┤
│
hunt_ioc("abc123...", artifacts_dir)
hunt_ioc("185.220.101.1", artifacts_dir)
│
└─► Found in Amcache, Browser downloads
| Library | Purpose |
|---|---|
| volatility3 | Memory forensics framework |
| yara-python | Malware signature scanning (optional) |
| vt-py | VirusTotal API client (optional) |
| mcp | Model Context Protocol |
MIT License
xtk
Built for the DFIR community. Companion to winforensics-mcp.