memory-forensics

by wshobson

memory-forensics skill for RAM capture and dump analysis with Volatility 3. Covers install context, usage workflows, artifact extraction, and incident triage across Windows, Linux, macOS, and VM memory.

Stars32.6k

Favorites0

Comments0

AddedMar 30, 2026

CategoryIncident Triage

Install Command

npx skills add wshobson/agents --skill memory-forensics

Curation Score

This skill scores 76/100, which makes it a solid directory listing candidate for users who want a reusable memory forensics playbook rather than just a generic prompt. The repository gives clear trigger context and substantial command-oriented content around acquisition and Volatility-based analysis, but users should expect documentation-only guidance with some setup and decision-making still left to them.

76/100

Strengths

Clear triggerability from frontmatter: it explicitly says to use the skill for memory dumps, incident investigations, and malware analysis from RAM captures.
Substantial operational content: the skill includes concrete acquisition commands for Windows, Linux, macOS, and VM memory sources plus Volatility 3 installation/setup guidance.
Good agent leverage as a workflow reference: the document is long and structured around multiple analysis areas rather than being a placeholder or thin demo.

Cautions

Documentation-only skill: there are no scripts, reference files, rules, or helper assets, so execution depends on the agent or user already knowing how to apply the commands safely.
Install/adoption clarity is only moderate: there is no install command in SKILL.md and the structural signals show limited explicit constraints or practical guidance.

Reverse Engineering Security Monitoring Python Cli

Overview

Overview of memory-forensics skill

What the memory-forensics skill does

The memory-forensics skill helps an agent work through RAM acquisition and memory dump analysis using established tooling such as Volatility 3 and common capture utilities. It is aimed at incident response, malware triage, and host investigation workflows where disk artifacts alone are not enough.

Who this skill is best for

This memory-forensics skill is a strong fit for:

responders handling suspected compromise on Windows, Linux, or macOS
analysts examining a captured memory image or VM memory file
users who need a practical starting structure for process, network, and artifact analysis
teams doing memory-forensics for Incident Triage rather than deep kernel research

It is less useful if you do not yet have a memory image, cannot legally or safely collect one, or only need basic log review.

The real job-to-be-done

Most users do not need a history lesson on memory analysis. They need help answering questions such as:

what is the safest way to capture RAM on this system?
how do I analyze the dump with the right tool and symbols?
which processes, injected code, credentials, sockets, and persistence clues should I check first?
how do I turn a broad suspicion into a repeatable memory-forensics guide?

This skill is valuable because it bundles those tasks into a usable workflow instead of leaving the agent to improvise from a blank prompt.

What differentiates this skill

The main differentiator is breadth across the full memory-forensics path: acquisition options, VM capture, Volatility setup, and investigative categories like processes, DLLs, networking, registry data, malware indicators, and extraction. It is more operational than a generic “analyze this dump” prompt, especially when you need the agent to suggest the next forensic step, not just name tools.

What to know before you install

This repository path contains a single SKILL.md with the guidance. There are no helper scripts, packaged symbols, automation rules, or sample datasets in the skill folder. That means the memory-forensics install is lightweight, but output quality depends heavily on the details you provide: operating system, capture method, file format, suspected threat, and the exact question you need answered.

How to Use memory-forensics skill

Install context for the memory-forensics skill

Install the skill from the repository, then invoke it when your task involves memory capture, Volatility-based analysis, or artifact extraction from RAM.

npx skills add https://github.com/wshobson/agents --skill memory-forensics

Because the skill folder only exposes SKILL.md, there is little hidden behavior. What you get is structured guidance, not a turnkey forensic pipeline.

Read this file first

Start with:

plugins/reverse-engineering/skills/memory-forensics/SKILL.md

Since there are no companion scripts or references in the folder, reading SKILL.md is effectively the full repository-reading path for this skill.

What input the skill needs to work well

The memory-forensics skill performs best when you provide concrete forensic context. Include:

target OS and version if known
memory image path and format, such as .raw, .lime, .elf, or VM memory
whether the image is from a live capture, hypervisor snapshot, or endpoint tool
analysis goal: triage, malware confirmation, credential theft, injected code, suspicious network activity
any known indicators: hostname, usernames, process names, hashes, IPs, domains, timestamps
your available tools: vol, python, symbol packs, YARA rules, strings, grep

Without this, the agent will default to a generic memory-forensics usage plan instead of a targeted investigation.

Turn a rough goal into a good prompt

Weak prompt:

“Analyze this memory dump.”

Stronger prompt:

“Use the memory-forensics skill to triage a Windows 10 memory image at evidence/win10.raw. Prioritize suspicious processes, network connections, DLL injection, LSASS access, persistence clues, and files worth extracting. Assume I have Volatility 3 installed but not Windows symbols. Give me a step-by-step command sequence and explain what findings would be high priority for incident triage.”

The stronger version improves results because it gives the skill a platform, a file, an objective, and output expectations.

Example prompt for memory-forensics for Incident Triage

Use a prompt like this when speed matters:

Use the memory-forensics skill for Incident Triage on a Linux memory image captured with LiME. I need a prioritized workflow: identify suspicious processes, loaded modules, open sockets, shell history or credentials in memory if feasible, and anything that suggests rootkit or malware activity. Recommend Volatility 3 commands, note any plugin limitations, and tell me what to extract for follow-up.

This keeps the output practical and triage-oriented instead of drifting into broad theory.

Typical workflow the skill supports

A good usage pattern is:

Identify the source and format of the memory image.
Confirm the platform and choose the acquisition-specific handling.
Set up Volatility 3 and required symbols if applicable.
Run baseline enumeration on processes, command lines, network connections, modules, and handles.
Pivot into suspicious artifacts: injected code, credential material, registry data, browser traces, or malware unpacking clues.
Extract high-value artifacts for offline review.
Summarize findings with confidence levels and next steps.

The skill is most helpful when you ask for this as a decision-driven workflow, not just a list of plugins.

What the skill actually covers well

From the source content, this memory-forensics guide is strongest on:

live acquisition options for Windows, Linux, and macOS
virtual machine memory collection
Volatility 3 installation and setup
process and artifact analysis from dumps
malware analysis and extraction tasks

That makes it especially useful if your blocker is choosing the next command or the next artifact category to inspect.

Practical install and environment notes

The skill references Volatility 3, so plan for:

Python environment management
symbol availability, especially on Windows
adequate storage for large memory images
permission-sensitive acquisition on live systems
format differences between raw dumps, ELF-style captures, and hypervisor outputs

In practice, many failed first runs are environment problems rather than analysis problems. If you want the agent to help, tell it exactly what failed: install error, symbol issue, unsupported format, or plugin mismatch.

Tips that materially improve output quality

To get better memory-forensics usage from the agent:

ask for command-by-command workflows, not just concepts
ask it to separate “triage first” checks from “deep dive later” checks
provide known suspicious process names or IPs so it can build pivots
ask for expected outputs and how to interpret anomalies
ask it to flag where Volatility 3 may need symbols or where a plugin may not fit your OS

These prompts reduce hand-wavy advice and force the skill into operational mode.

What this skill does not automate

This is not a packaged forensic suite. The memory-forensics skill does not ship:

acquisition binaries
curated symbol bundles
validation scripts
chain-of-custody tooling
one-click report generation

If you need end-to-end automation, treat this skill as analysis guidance and command scaffolding, not as a replacement for your forensic toolkit.

memory-forensics skill FAQ

Is this memory-forensics skill good for beginners?

Yes, if you already understand basic command-line usage and what a memory image is. The skill gives enough structure to start, but it does not eliminate the need to know your platform, tool availability, and investigative goal. Absolute beginners may still need external help for Volatility installation and symbol handling.

When is the memory-forensics skill a better choice than a normal prompt?

Use the memory-forensics skill when you want the agent to stay inside a forensic workflow: acquisition, triage, artifact extraction, and malware-oriented pivots. A generic prompt may produce vague advice, while this skill is more likely to suggest realistic tools, commands, and investigative order.

Does the memory-forensics install include tools like Volatility?

No. The memory-forensics install adds the skill guidance, not the forensic binaries. You still need to install and validate tools such as volatility3 yourself.

Can I use it for live memory acquisition guidance?

Yes. The source content explicitly includes live acquisition approaches for Windows, Linux, and macOS, plus virtual machine memory capture. That said, you should still validate operational risk before collecting RAM on production or potentially unstable hosts.

Is it suitable for malware analysis?

Yes. The skill is a good fit when malware may only be visible in memory through injected code, unpacked payloads, suspicious modules, or live process artifacts. It is especially useful when disk-based scans are incomplete.

When should I not use this skill?

Skip this memory-forensics guide if:

you do not have a memory image and cannot capture one
your task is purely disk forensics or SIEM review
you need courtroom-grade procedure documentation more than analytic guidance
you expect automated parsing without tool setup or operator input

Does it fit only Windows analysis?

No. The skill covers Windows, Linux, macOS, and VM memory capture paths. Still, practical depth is usually highest where your tools and symbols are strongest, so tell the agent your target platform early.

How to Improve memory-forensics skill

Give the agent better forensic context

The fastest way to improve memory-forensics output is to provide stronger evidence up front. Include:

exact filename and format
capture source
OS family
suspected behavior
known IOCs
what you already tried

This helps the agent choose the right plugins, sequence, and pivots instead of generating a generic checklist.

Ask for prioritized, not exhaustive, analysis

A common failure mode is getting a huge list of possible checks with no triage order. Ask the memory-forensics skill to rank steps as:

immediate triage
high-value follow-up
optional deep analysis

That format is much more useful during incident response.

Force command output interpretation

Do not only ask for commands. Ask what suspicious output would look like. For example:

unusual parent-child process chains
hidden or terminated-but-resident processes
anomalous network listeners
evidence of LSASS access
unsigned or oddly placed modules

Interpretation guidance is where this skill adds more value than raw command lists.

Improve prompts with scope boundaries

Good prompts define constraints such as:

“Windows only”
“Volatility 3 only”
“No internet access for symbol downloads”
“Need findings in under 30 minutes”
“Focus on credential theft and C2”

These constraints make memory-forensics recommendations more realistic and easier to execute.

Iterate after the first output

After the first response, feed the agent real findings:

suspicious PIDs
module names
IP addresses
process command lines
extracted filenames
plugin errors

Then ask for the next pivots. The memory-forensics skill becomes much more useful once it can narrow from broad triage into evidence-driven follow-up.

Watch for common failure modes

Typical issues include:

wrong assumptions about OS profile or symbols
recommending acquisition steps after a dump already exists
over-prioritizing exhaustive enumeration over triage
giving plugins without explaining why they matter
ignoring file format or hypervisor context

You can reduce these by stating your current stage clearly: acquisition, setup, baseline triage, malware hunt, or extraction.

Use the skill as a workflow template

One of the best ways to improve this memory-forensics guide in practice is to reuse its structure across cases. Ask the agent to turn the skill into:

a triage checklist
a case-specific runbook
a reusable prompt template for your team
a command plan with placeholders for image path, host, and IOC set

That turns a one-time answer into a repeatable incident response asset.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

conducting-malware-incident-response

by mukul975

conducting-malware-incident-response helps IR teams triage suspected malware, confirm infections, scope spread, contain endpoints, and support eradication and recovery. It is designed for conducting-malware-incident-response for Incident Response workflows with evidence-backed steps, telemetry-driven decisions, and practical containment guidance.

Incident Response

Favorites 0GitHub 0

detecting-lateral-movement-with-zeek

by mukul975

detecting-lateral-movement-with-zeek is a Zeek-based cybersecurity skill for threat hunting and incident response. It helps detect SMB admin share access, DCE/RPC service creation, NTLM spray, Kerberos anomalies, and suspicious internal transfers using Zeek logs such as conn.log, smb_mapping.log, smb_files.log, dce_rpc.log, ntlm.log, and kerberos.log.

Threat Hunting

Favorites 0GitHub 6.2k

building-incident-response-playbook

by mukul975

building-incident-response-playbook helps security teams create reusable incident response playbooks with step-by-step phases, decision trees, escalation criteria, RACI ownership, and SOAR-ready structure. It is designed for incident response procedure documentation, incident triage workflows, and audit-friendly operational response plans.

Incident Triage

Favorites 0GitHub 6.1k

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-insider-threat-behaviors

by mukul975

detecting-insider-threat-behaviors helps analysts hunt insider-risk signals like unusual data access, off-hours activity, mass downloads, privilege abuse, and resignation-correlated theft. Use this detecting-insider-threat-behaviors guide for threat hunting, UEBA-style triage, and threat modeling with workflow templates, SIEM query examples, and risk weights.

Threat Modeling

Favorites 0GitHub 0

detecting-command-and-control-over-dns

by mukul975

detecting-command-and-control-over-dns is a cybersecurity skill for spotting C2 over DNS, including tunneling, beaconing, DGA domains, and TXT/CNAME abuse. It supports SOC analysts, threat hunters, and security audits with entropy checks, passive DNS correlation, and Zeek or Suricata-style detection workflows.

Security Audit

Favorites 0GitHub 0

deploying-osquery-for-endpoint-monitoring

by mukul975

deploying-osquery-for-endpoint-monitoring guide for deploying and configuring osquery for endpoint visibility, fleet-wide monitoring, and SQL-driven threat hunting. Use it to plan installation, read the workflow and API references, and operationalize scheduled queries, log collection, and centralized review across Windows, macOS, and Linux endpoints.

Monitoring

Favorites 0GitHub 0

correlating-security-events-in-qradar

by mukul975

correlating-security-events-in-qradar helps SOC and detection teams correlate IBM QRadar offenses with AQL, offense context, custom rules, and reference data. Use this guide to investigate incidents, reduce false positives, and build stronger correlation logic for Incident Response.

Incident Response

Favorites 0GitHub 0

analyzing-windows-event-logs-in-splunk

by mukul975

The analyzing-windows-event-logs-in-splunk skill helps SOC analysts investigate Windows Security, System, and Sysmon logs in Splunk for authentication attacks, privilege escalation, persistence, and lateral movement. Use it for incident triage, detection engineering, and timeline analysis with mapped SPL patterns and event ID guidance.

Incident Triage

Favorites 0GitHub 0

analyzing-windows-amcache-artifacts

by mukul975

The analyzing-windows-amcache-artifacts skill parses Windows Amcache.hve data to recover evidence of program execution, installed software, device activity, and driver loading for DFIR and security audit workflows. It uses AmcacheParser and regipy-based guidance to support artifact extraction, SHA-1 correlation, and timeline review.

Security Audit

Favorites 0GitHub 0

analyzing-powershell-empire-artifacts

by mukul975

analyzing-powershell-empire-artifacts skill helps Security Audit teams detect PowerShell Empire artifacts in Windows logs using Script Block Logging, Base64 launcher patterns, stager IOCs, module signatures, and detection references for triage and rule writing.

Security Audit

Favorites 0GitHub 0

analyzing-network-traffic-of-malware

by mukul975

analyzing-network-traffic-of-malware helps inspect PCAPs and telemetry from sandbox runs or incident response to find C2, exfiltration, payload downloads, DNS tunneling, and detection ideas. It is a practical analyzing-network-traffic-of-malware guide for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

analyzing-linux-system-artifacts

by mukul975

analyzing-linux-system-artifacts helps investigate Linux hosts for compromise by reviewing auth logs, shell history, cron jobs, systemd services, SSH keys, and other persistence points. Use this analyzing-linux-system-artifacts guide for Security Audit, incident response, and forensic triage. It includes practical install and usage guidance.

Security Audit

Favorites 0GitHub 0

analyzing-indicators-of-compromise

by mukul975

Analyzing-indicators-of-compromise helps triage IOCs such as IPs, domains, URLs, file hashes, and email artifacts. It supports threat-intelligence workflows for enrichment, confidence scoring, and block/monitor/whitelist decisions using source-backed checks and clear analyst context.

Threat Intelligence

Favorites 0GitHub 0