SKILL: Memory Forensics — Expert Analysis Playbook AI LOAD INSTRUCTION : Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis. 0. RELATED ROUTING Before going deep, consider loading: - traffic-analysis-pcap for correlating net…

\n\n# Find web-related files\nvol -f mem.raw windows.filescan | grep -iE '\\.(php|asp|jsp|html)

SKILL: Memory Forensics — Expert Analysis Playbook AI LOAD INSTRUCTION : Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis. 0. RELATED ROUTING Before going deep, consider loading: - traffic-analysis-pcap for correlating net…

\n\n# Find executables in unusual locations\nvol -f mem.raw windows.filescan | grep -iE '\\\\(temp|tmp|appdata|downloads)\\\\.*\\.exe'\n\n# Network connections to external IPs\nvol -f mem.raw windows.netscan | grep -v \"127.0.0.1\\|0.0.0.0\\|::1\\|::\"\n```\n","content_type":"text/markdown; charset=utf-8","language":"markdown","size":6443,"content_sha256":"3bb415c9a64ba04e6b90cffc1e17fdf89e8cc95173782d8172e0309a707675db"}],"content_json":{"type":"doc","content":[{"type":"heading","attrs":{"level":1},"content":[{"text":"SKILL: Memory Forensics — Expert Analysis Playbook","type":"text"}]},{"type":"blockquote","content":[{"type":"paragraph","content":[{"text":"AI LOAD INSTRUCTION","type":"text","marks":[{"type":"strong"}]},{"text":": Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis.","type":"text"}]}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"0. RELATED ROUTING","type":"text"}]},{"type":"paragraph","content":[{"text":"Before going deep, consider loading:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"traffic-analysis-pcap","type":"text","marks":[{"type":"link","attrs":{"href":"../traffic-analysis-pcap/SKILL.md","title":null}}]},{"text":" for correlating network artifacts with memory findings","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"steganography-techniques","type":"text","marks":[{"type":"link","attrs":{"href":"../steganography-techniques/SKILL.md","title":null}}]},{"text":" if hidden data suspected in extracted files","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"windows-privilege-escalation","type":"text","marks":[{"type":"link","attrs":{"href":"../windows-privilege-escalation/SKILL.md","title":null}}]},{"text":" for understanding post-exploitation artifacts in memory","type":"text"}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Quick Reference","type":"text"}]},{"type":"paragraph","content":[{"text":"Also load ","type":"text"},{"text":"VOLATILITY_CHEATSHEET.md","type":"text","marks":[{"type":"link","attrs":{"href":"./VOLATILITY_CHEATSHEET.md","title":null}}]},{"text":" when you need:","type":"text"}]},{"type":"bullet_list","content":[{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Vol2 vs Vol3 command comparison table","type":"text"}]}]},{"type":"list_item","content":[{"type":"paragraph","content":[{"text":"Common plugin sequences for specific investigation types","type":"text"}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"1. MEMORY ACQUISITION","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Linux","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# LiME (Linux Memory Extractor) — kernel module\ninsmod lime.ko \"path=/tmp/mem.lime format=lime\"\n\n# /proc/kcore (if available)\ndd if=/proc/kcore of=/tmp/mem.raw bs=1M\n\n# AVML (Microsoft's open-source)\n./avml /tmp/mem.lime","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Windows","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# WinPmem\nwinpmem_mini_x64.exe memdump.raw\n\n# FTK Imager (GUI) — capture memory to file\n\n# DumpIt (single-click memory dump)\nDumpIt.exe\n\n# Comae (MagnetRAM)\nMagnetRAMCapture.exe /output memdump.raw","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Virtual Machines","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# VMware: .vmem file in VM directory (suspend VM first)\n# VirtualBox: VBoxManage debugvm \"VM_NAME\" dumpvmcore --filename mem.raw\n# KVM/QEMU: virsh dump DOMAIN memdump --memory-only\n# Hyper-V: checkpoint VM → inspect .bin files","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"2. VOLATILITY 2 vs 3","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Concept","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Volatility 2","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Volatility 3","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Profile system","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"--profile=Win10x64_19041","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Auto-detected (symbol tables)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Image info","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"imageinfo","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.info","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"linux.info","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Process list","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pslist","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.pslist","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Network","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"netscan","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"connections","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.netscan","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"windows.netstat","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DLLs","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"dlllist","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.dlllist","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Injection","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"malfind","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.malfind","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hashes","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"hashdump","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.hashdump","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Files","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"filescan","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.filescan","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Registry","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"hivelist","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"printkey","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"windows.registry.hivelist","type":"text","marks":[{"type":"code_inline"}]},{"text":" / ","type":"text"},{"text":"windows.registry.printkey","type":"text","marks":[{"type":"code_inline"}]}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Install","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pip2 install volatility","type":"text","marks":[{"type":"code_inline"}]}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pip3 install volatility3","type":"text","marks":[{"type":"code_inline"}]}]}]}]}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"3. ANALYSIS METHODOLOGY","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 1: Identify OS","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw imageinfo\nvol.py -f mem.raw kdbgscan\n\n# Vol3\nvol -f mem.raw windows.info\nvol -f mem.raw banners.Banners","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 2: Process Listing — Hidden Process Detection","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE pslist # EPROCESS linked list\nvol.py -f mem.raw --profile=PROFILE psscan # pool tag scan (finds unlinked)\nvol.py -f mem.raw --profile=PROFILE pstree # parent-child hierarchy\n\n# Vol3\nvol -f mem.raw windows.pslist\nvol -f mem.raw windows.psscan\nvol -f mem.raw windows.pstree","type":"text"}]},{"type":"paragraph","content":[{"text":"Red flags","type":"text","marks":[{"type":"strong"}]},{"text":": Process in ","type":"text"},{"text":"psscan","type":"text","marks":[{"type":"code_inline"}]},{"text":" but not ","type":"text"},{"text":"pslist","type":"text","marks":[{"type":"code_inline"}]},{"text":" = DKOM (Direct Kernel Object Manipulation) hiding.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 3: Network Connections","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE netscan # TCP/UDP endpoints\nvol.py -f mem.raw --profile=PROFILE connections # XP/2003 only\nvol.py -f mem.raw --profile=PROFILE connscan # closed connections\n\n# Vol3\nvol -f mem.raw windows.netscan\nvol -f mem.raw windows.netstat","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 4: DLL / Module Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE dlllist -p PID\nvol.py -f mem.raw --profile=PROFILE ldrmodules -p PID # find unlinked DLLs\n\n# Vol3\nvol -f mem.raw windows.dlllist --pid PID","type":"text"}]},{"type":"paragraph","content":[{"text":"Red flags","type":"text","marks":[{"type":"strong"}]},{"text":": DLL in ","type":"text"},{"text":"dlllist","type":"text","marks":[{"type":"code_inline"}]},{"text":" but ","type":"text"},{"text":"False","type":"text","marks":[{"type":"code_inline"}]},{"text":" in all three ","type":"text"},{"text":"ldrmodules","type":"text","marks":[{"type":"code_inline"}]},{"text":" columns = reflective DLL injection.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 5: Code Injection Detection (Malfind)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE malfind -p PID\nvol.py -f mem.raw --profile=PROFILE malfind -D /tmp/dump/ # dump injected sections\n\n# Vol3\nvol -f mem.raw windows.malfind --pid PID","type":"text"}]},{"type":"paragraph","content":[{"text":"What malfind detects","type":"text","marks":[{"type":"strong"}]},{"text":": Memory regions with ","type":"text"},{"text":"PAGE_EXECUTE_READWRITE","type":"text","marks":[{"type":"code_inline"}]},{"text":" that don't map to a file on disk — classic shellcode/injection indicator.","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 6: Credential Extraction","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE hashdump # SAM hashes\nvol.py -f mem.raw --profile=PROFILE lsadump # LSA secrets\nvol.py -f mem.raw --profile=PROFILE cachedump # domain cached creds\nvol.py -f mem.raw --profile=PROFILE mimikatz # (plugin) plaintext creds\n\n# Vol3\nvol -f mem.raw windows.hashdump\nvol -f mem.raw windows.lsadump\nvol -f mem.raw windows.cachedump","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 7: File Extraction","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE filescan | grep -i \"password\\|secret\\|flag\"\nvol.py -f mem.raw --profile=PROFILE dumpfiles -Q OFFSET -D /tmp/dump/\n\n# Vol3\nvol -f mem.raw windows.filescan\nvol -f mem.raw windows.dumpfiles --virtaddr OFFSET","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 8: Registry Analysis","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE hivelist\nvol.py -f mem.raw --profile=PROFILE printkey -K \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\nvol.py -f mem.raw --profile=PROFILE userassist # program execution evidence\n\n# Vol3\nvol -f mem.raw windows.registry.hivelist\nvol -f mem.raw windows.registry.printkey --key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 9: Command History","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE cmdscan # cmd.exe history\nvol.py -f mem.raw --profile=PROFILE consoles # full console output\n\n# Vol3\nvol -f mem.raw windows.cmdline","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Step 10: Timeline Generation","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2\nvol.py -f mem.raw --profile=PROFILE timeliner --output=body --output-file=timeline.body\nmactime -b timeline.body -d > timeline.csv\n\n# Vol3\nvol -f mem.raw timeliner.Timeliner","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"4. LINUX MEMORY ANALYSIS","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"# Vol2 (requires Linux profile)\nvol.py -f mem.lime --profile=LinuxProfile linux_pslist\nvol.py -f mem.lime --profile=LinuxProfile linux_pstree\nvol.py -f mem.lime --profile=LinuxProfile linux_netstat\nvol.py -f mem.lime --profile=LinuxProfile linux_bash # bash history\nvol.py -f mem.lime --profile=LinuxProfile linux_enumerate_files\nvol.py -f mem.lime --profile=LinuxProfile linux_proc_maps -p PID\nvol.py -f mem.lime --profile=LinuxProfile linux_malfind\n\n# Vol3\nvol -f mem.lime linux.pslist\nvol -f mem.lime linux.pstree\nvol -f mem.lime linux.bash\nvol -f mem.lime linux.check_afinfo # rootkit detection\nvol -f mem.lime linux.check_syscall # syscall hooking\nvol -f mem.lime linux.tty_check # TTY hooking","type":"text"}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Building Linux Profiles (Vol2)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":"bash"},"content":[{"text":"cd volatility/tools/linux\nmake\n# Creates module.dwarf + System.map → zip as profile\nzip LinuxProfile.zip module.dwarf /boot/System.map-$(uname -r)\n# Place in volatility/plugins/overlays/linux/","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"5. MALWARE INDICATORS IN MEMORY","type":"text"}]},{"type":"table","attrs":{"layout":null},"content":[{"type":"tr","content":[{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Indicator","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Detection Method","type":"text"}]}]},{"type":"th","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"What It Means","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Process in psscan but not pslist","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Compare pslist vs psscan","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DKOM — process hiding","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Unexpected parent-child","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pstree analysis","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"e.g., svchost spawned by cmd.exe","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"MZ header in non-image memory","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"malfind","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Reflective DLL / PE injection","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"RWX memory without backing file","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"malfind","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Shellcode injection","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"DLL unlinked from all PEB lists","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ldrmodules (all False)","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Stealth DLL loading","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"svchost.exe not child of services.exe","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"pstree","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Fake svchost (malware)","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Unusual network connections","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"netscan + PID correlation","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"C2 communication","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Hooking in SSDT/IDT","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"ssdt / idt plugins","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Rootkit","type":"text"}]}]}]},{"type":"tr","content":[{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Modified kernel objects","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"linux_check_syscall","type":"text"}]}]},{"type":"td","attrs":{"colspan":1,"rowspan":1,"colwidth":null,"alignment":""},"content":[{"type":"paragraph","content":[{"text":"Linux rootkit","type":"text"}]}]}]}]},{"type":"heading","attrs":{"level":3},"content":[{"text":"Normal Parent-Child Relationships (Windows)","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"System (4)\n└── smss.exe\n └── csrss.exe\n └── wininit.exe\n └── services.exe\n └── svchost.exe (multiple)\n └── spoolsv.exe\n └── lsass.exe\n └── winlogon.exe\n └── explorer.exe\n └── user applications","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}},{"type":"heading","attrs":{"level":2},"content":[{"text":"6. DECISION TREE","type":"text"}]},{"type":"code_block","attrs":{"wrap":false,"language":""},"content":[{"text":"Memory dump acquired — need to analyze\n│\n├── What OS?\n│ ├── Windows → vol imageinfo / windows.info (§3 Step 1)\n│ └── Linux → build profile or use Vol3 auto-detect (§4)\n│\n├── Malware investigation?\n│ ├── Check processes: pslist vs psscan (hidden?) (§3 Step 2)\n│ ├── Check parent-child: pstree (suspicious spawning?) (§5)\n│ ├── Check injections: malfind (RWX memory?) (§3 Step 5)\n│ ├── Check DLLs: ldrmodules (unlinked?) (§3 Step 4)\n│ ├── Check network: netscan (C2 connections?) (§3 Step 3)\n│ └── Extract suspicious files: dumpfiles (§3 Step 7)\n│\n├── Credential recovery?\n│ ├── SAM hashes → hashdump (§3 Step 6)\n│ ├── LSA secrets → lsadump (§3 Step 6)\n│ ├── Cached domain creds → cachedump (§3 Step 6)\n│ └── Plaintext passwords → mimikatz plugin (§3 Step 6)\n│\n├── Incident timeline?\n│ ├── timeliner for comprehensive timeline (§3 Step 10)\n│ ├── cmdscan / consoles for command history (§3 Step 9)\n│ ├── userassist for program execution (§3 Step 8)\n│ └── Cross-reference with PCAP timeline (→ traffic-analysis-pcap)\n│\n├── CTF / flag hunting?\n│ ├── filescan + grep for flag patterns (§3 Step 7)\n│ ├── cmdscan for typed flags/passwords (§3 Step 9)\n│ ├── Clipboard: clipboard plugin\n│ ├── Screenshots: screenshot plugin\n│ └── Environment vars: envars plugin\n│\n└── Linux-specific?\n ├── linux_bash for shell history (§4)\n ├── linux_check_syscall for rootkit (§4)\n └── linux_netstat for connections (§4)","type":"text"}]},{"type":"hr","attrs":{"markup":"---"}}]},"metadata":{"date":"2026-06-05","name":"memory-forensics-volatility","author":"@skillopedia","source":{"stars":853,"repo_name":"hack-skills","origin_url":"https://github.com/yaklang/hack-skills/blob/HEAD/skills/memory-forensics-volatility/SKILL.md","repo_owner":"yaklang","body_sha256":"203a8184fe8e2d653acd485a10f4d0a3260c634bdd8c95cfb30df4b10921b577","cluster_key":"59f75fde350f70cb24b74fb3e83a3d2ab6cf4d8ec19ccca6f80e9cdf09f1237d","clean_bundle":{"format":"clean-skill-bundle-v1","source":"yaklang/hack-skills/skills/memory-forensics-volatility/SKILL.md","attachments":[{"id":"e8119cd1-feed-5e59-ae52-ca3120c8629d","key":"uploads/10433ee7-ad12-4ae0-b34e-97553e46c6c8/e8119cd1-feed-5e59-ae52-ca3120c8629d/attachment.md","path":"VOLATILITY_CHEATSHEET.md","size":6443,"sha256":"3bb415c9a64ba04e6b90cffc1e17fdf89e8cc95173782d8172e0309a707675db","contentType":"text/markdown; charset=utf-8"}],"bundle_sha256":"fe5e4da89ef02fc69ecfbe845f83f102a7a439d64053c2cd5312bbf46dc1d653","attachment_count":1,"text_attachments":1,"attachment_storage":"skillopedia-attachments-v1","binary_attachments":0,"excluded_attachments":[]},"cluster_size":1,"skill_md_path":"skills/memory-forensics-volatility/SKILL.md","import_metadata":{"date":"2026-06-05","author":"@skillopedia","version":"v1","category":"security","category_label":"Security"},"exact_dupes_collapsed_into_this":0},"version":"v1","category":"security","import_tag":"clean-skills-v1","description":"Memory forensics playbook using Volatility 2/3. Use when analyzing memory dumps for malware analysis, credential extraction, process investigation, code injection detection, and incident response timeline reconstruction."}},"renderedAt":1782979689218}

SKILL: Memory Forensics — Expert Analysis Playbook AI LOAD INSTRUCTION : Expert memory forensics techniques using Volatility 2 and 3. Covers memory acquisition, OS identification, process analysis (hidden process detection), network connections, DLL/module analysis, code injection detection (malfind), credential extraction, file carving, registry analysis, and timeline generation. Base models miss the Vol2/Vol3 command differences, malware indicator patterns, and Linux-specific memory analysis. 0. RELATED ROUTING Before going deep, consider loading: - traffic-analysis-pcap for correlating net…