S³ Memory Forensics

v1.0.0

Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analy...

⭐ 0· 161·0 current·0 all-time

bySolomon Neas@solomonneas

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for solomonneas/s3-memory-forensics.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "S³ Memory Forensics" (solomonneas/s3-memory-forensics) from ClawHub.
Skill page: https://clawhub.ai/solomonneas/s3-memory-forensics
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install s3-memory-forensics

ClawHub CLI

Package manager switcher

npx clawhub@latest install s3-memory-forensics

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

high confidence

✓

Purpose & Capability

The name/description (memory forensics with Volatility and related tools) matches the SKILL.md content: acquisition commands (WinPmem, LiME, osxpmem, VM exporters), Volatility usage, and workflows. Tools and commands referenced are appropriate for the stated domain.

ℹ

Instruction Scope

Instructions tell the operator to run privileged acquisition commands (sudo dd, insmod LiME, WinPmem/DumpIt) and analysis (volatility, strings, yara). This is expected for memory forensics, but the SKILL.md also tells the agent to 'open resources/implementation-playbook.md' which is not present in the package — the agent could attempt to read local files in its environment if followed. Verify the resource reference and be cautious about executing privileged commands.

✓

Install Mechanism

No install spec (instruction-only). The doc recommends installing volatility3 via pip and downloading symbol tables from the Volatility Foundation site — these are standard steps. There are no downloads from unknown personal servers or extract/install steps in the skill bundle itself.

✓

Credentials

The skill declares no required environment variables, credentials, or config paths. Commands reference system devices (/dev/mem, /proc/kcore) and VM files (vm.vmem) which are appropriate for memory acquisition but are sensitive — this is proportional to the forensic purpose.

ℹ

Persistence & Privilege

The skill is not forced-always and is user-invocable. Model invocation is allowed (default), which is normal. Because the instructions include privileged system actions, consider restricting autonomous invocation in environments where the agent could execute commands or access the host filesystem.

Assessment

This is a coherent memory-forensics playbook; nothing in the skill requests unrelated credentials or installs arbitrary remote code. Before using it, (1) only run the acquisition and kernel-level commands on systems you own or have explicit authorization to examine — they require root/administrator privileges and can disrupt systems; (2) verify downloads (e.g., Volatility symbol tables) come from the official Volatility Foundation site; (3) note the SKILL.md references resources/implementation-playbook.md which is not included — check for missing documentation before relying on the skill; and (4) if you allow the agent to invoke skills autonomously, consider disabling autonomous execution for this skill in sensitive environments because following these instructions could access or expose host memory and secrets.

Like a lobster shell, security has layers — review code before you run it.

forensicsvk970t3wqd1dsxe9xe0vmadp61s836tvcincident-responsevk970t3wqd1dsxe9xe0vmadp61s836tvclatestvk970t3wqd1dsxe9xe0vmadp61s836tvcmemory-analysisvk970t3wqd1dsxe9xe0vmadp61s836tvcvolatilityvk970t3wqd1dsxe9xe0vmadp61s836tvc

161downloads

0stars

1versions

Updated 1mo ago

v1.0.0

MIT-0

Memory Forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

Use this skill when

Working on memory forensics tasks or workflows
Needing guidance, best practices, or checklists for memory forensics

Do not use this skill when

The task is unrelated to memory forensics
You need a different domain or tool outside this scope

Instructions

Clarify goals, constraints, and required inputs.
Apply relevant best practices and validate outcomes.
Provide actionable steps and verification.
If detailed examples are required, open resources/implementation-playbook.md.

Memory Acquisition

Live Acquisition Tools

Windows

# WinPmem (Recommended)
winpmem_mini_x64.exe memory.raw

# DumpIt
DumpIt.exe

# Belkasoft RAM Capturer
# GUI-based, outputs raw format

# Magnet RAM Capture
# GUI-based, outputs raw format

Linux

# LiME (Linux Memory Extractor)
sudo insmod lime.ko "path=/tmp/memory.lime format=lime"

# /dev/mem (limited, requires permissions)
sudo dd if=/dev/mem of=memory.raw bs=1M

# /proc/kcore (ELF format)
sudo cp /proc/kcore memory.elf

macOS

# osxpmem
sudo ./osxpmem -o memory.raw

# MacQuisition (commercial)

Virtual Machine Memory

# VMware: .vmem file is raw memory
cp vm.vmem memory.raw

# VirtualBox: Use debug console
vboxmanage debugvm "VMName" dumpvmcore --filename memory.elf

# QEMU
virsh dump <domain> memory.raw --memory-only

# Hyper-V
# Checkpoint contains memory state

Volatility 3 Framework

Installation and Setup

# Install Volatility 3
pip install volatility3

# Install symbol tables (Windows)
# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/

# Basic usage
vol -f memory.raw <plugin>

# With symbol path
vol -f memory.raw -s /path/to/symbols windows.pslist

Essential Plugins

Process Analysis

# List processes
vol -f memory.raw windows.pslist

# Process tree (parent-child relationships)
vol -f memory.raw windows.pstree

# Hidden process detection
vol -f memory.raw windows.psscan

# Process memory dumps
vol -f memory.raw windows.memmap --pid <PID> --dump

# Process environment variables
vol -f memory.raw windows.envars --pid <PID>

# Command line arguments
vol -f memory.raw windows.cmdline

Network Analysis

# Network connections
vol -f memory.raw windows.netscan

# Network connection state
vol -f memory.raw windows.netstat

DLL and Module Analysis

# Loaded DLLs per process
vol -f memory.raw windows.dlllist --pid <PID>

# Find hidden/injected DLLs
vol -f memory.raw windows.ldrmodules

# Kernel modules
vol -f memory.raw windows.modules

# Module dumps
vol -f memory.raw windows.moddump --pid <PID>

Memory Injection Detection

# Detect code injection
vol -f memory.raw windows.malfind

# VAD (Virtual Address Descriptor) analysis
vol -f memory.raw windows.vadinfo --pid <PID>

# Dump suspicious memory regions
vol -f memory.raw windows.vadyarascan --yara-rules rules.yar

Registry Analysis

# List registry hives
vol -f memory.raw windows.registry.hivelist

# Print registry key
vol -f memory.raw windows.registry.printkey --key "Software\Microsoft\Windows\CurrentVersion\Run"

# Dump registry hive
vol -f memory.raw windows.registry.hivescan --dump

File System Artifacts

# Scan for file objects
vol -f memory.raw windows.filescan

# Dump files from memory
vol -f memory.raw windows.dumpfiles --pid <PID>

# MFT analysis
vol -f memory.raw windows.mftscan

Linux Analysis

# Process listing
vol -f memory.raw linux.pslist

# Process tree
vol -f memory.raw linux.pstree

# Bash history
vol -f memory.raw linux.bash

# Network connections
vol -f memory.raw linux.sockstat

# Loaded kernel modules
vol -f memory.raw linux.lsmod

# Mount points
vol -f memory.raw linux.mount

# Environment variables
vol -f memory.raw linux.envars

macOS Analysis

# Process listing
vol -f memory.raw mac.pslist

# Process tree
vol -f memory.raw mac.pstree

# Network connections
vol -f memory.raw mac.netstat

# Kernel extensions
vol -f memory.raw mac.lsmod

Analysis Workflows

Malware Analysis Workflow

# 1. Initial process survey
vol -f memory.raw windows.pstree > processes.txt
vol -f memory.raw windows.pslist > pslist.txt

# 2. Network connections
vol -f memory.raw windows.netscan > network.txt

# 3. Detect injection
vol -f memory.raw windows.malfind > malfind.txt

# 4. Analyze suspicious processes
vol -f memory.raw windows.dlllist --pid <PID>
vol -f memory.raw windows.handles --pid <PID>

# 5. Dump suspicious executables
vol -f memory.raw windows.pslist --pid <PID> --dump

# 6. Extract strings from dumps
strings -a pid.<PID>.exe > strings.txt

# 7. YARA scanning
vol -f memory.raw windows.yarascan --yara-rules malware.yar

Incident Response Workflow

# 1. Timeline of events
vol -f memory.raw windows.timeliner > timeline.csv

# 2. User activity
vol -f memory.raw windows.cmdline
vol -f memory.raw windows.consoles

# 3. Persistence mechanisms
vol -f memory.raw windows.registry.printkey \
    --key "Software\Microsoft\Windows\CurrentVersion\Run"

# 4. Services
vol -f memory.raw windows.svcscan

# 5. Scheduled tasks
vol -f memory.raw windows.scheduled_tasks

# 6. Recent files
vol -f memory.raw windows.filescan | grep -i "recent"

Data Structures

Windows Process Structures

// EPROCESS (Executive Process)
typedef struct _EPROCESS {
    KPROCESS Pcb;                    // Kernel process block
    EX_PUSH_LOCK ProcessLock;
    LARGE_INTEGER CreateTime;
    LARGE_INTEGER ExitTime;
    // ...
    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list
    ULONG_PTR UniqueProcessId;       // PID
    // ...
    PEB* Peb;                        // Process Environment Block
    // ...
} EPROCESS;

// PEB (Process Environment Block)
typedef struct _PEB {
    BOOLEAN InheritedAddressSpace;
    BOOLEAN ReadImageFileExecOptions;
    BOOLEAN BeingDebugged;           // Anti-debug check
    // ...
    PVOID ImageBaseAddress;          // Base address of executable
    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)
    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;
    // ...
} PEB;

VAD (Virtual Address Descriptor)

typedef struct _MMVAD {
    MMVAD_SHORT Core;
    union {
        ULONG LongFlags;
        MMVAD_FLAGS VadFlags;
    } u;
    // ...
    PVOID FirstPrototypePte;
    PVOID LastContiguousPte;
    // ...
    PFILE_OBJECT FileObject;
} MMVAD;

// Memory protection flags
#define PAGE_EXECUTE           0x10
#define PAGE_EXECUTE_READ      0x20
#define PAGE_EXECUTE_READWRITE 0x40
#define PAGE_EXECUTE_WRITECOPY 0x80

Detection Patterns

Process Injection Indicators

# Malfind indicators
# - PAGE_EXECUTE_READWRITE protection (suspicious)
# - MZ header in non-image VAD region
# - Shellcode patterns at allocation start

# Common injection techniques
# 1. Classic DLL Injection
#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread

# 2. Process Hollowing
#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory

# 3. APC Injection
#    - QueueUserAPC targeting alertable threads

# 4. Thread Execution Hijacking
#    - SuspendThread + SetThreadContext + ResumeThread

Rootkit Detection

# Compare process lists
vol -f memory.raw windows.pslist > pslist.txt
vol -f memory.raw windows.psscan > psscan.txt
diff pslist.txt psscan.txt  # Hidden processes

# Check for DKOM (Direct Kernel Object Manipulation)
vol -f memory.raw windows.callbacks

# Detect hooked functions
vol -f memory.raw windows.ssdt  # System Service Descriptor Table

# Driver analysis
vol -f memory.raw windows.driverscan
vol -f memory.raw windows.driverirp

Credential Extraction

# Dump hashes (requires hivelist first)
vol -f memory.raw windows.hashdump

# LSA secrets
vol -f memory.raw windows.lsadump

# Cached domain credentials
vol -f memory.raw windows.cachedump

# Mimikatz-style extraction
# Requires specific plugins/tools

YARA Integration

Writing Memory YARA Rules

rule Suspicious_Injection
{
    meta:
        description = "Detects common injection shellcode"

    strings:
        // Common shellcode patterns
        $mz = { 4D 5A }
        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue
        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call

    condition:
        $mz at 0 or any of ($shellcode*)
}

rule Cobalt_Strike_Beacon
{
    meta:
        description = "Detects Cobalt Strike beacon in memory"

    strings:
        $config = { 00 01 00 01 00 02 }
        $sleep = "sleeptime"
        $beacon = "%s (admin)" wide

    condition:
        2 of them
}

Scanning Memory

# Scan all process memory
vol -f memory.raw windows.yarascan --yara-rules rules.yar

# Scan specific process
vol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234

# Scan kernel memory
vol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel

String Analysis

Extracting Strings

# Basic string extraction
strings -a memory.raw > all_strings.txt

# Unicode strings
strings -el memory.raw >> all_strings.txt

# Targeted extraction from process dump
vol -f memory.raw windows.memmap --pid 1234 --dump
strings -a pid.1234.dmp > process_strings.txt

# Pattern matching
grep -E "(https?://|[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})" all_strings.txt

FLOSS for Obfuscated Strings

# FLOSS extracts obfuscated strings
floss malware.exe > floss_output.txt

# From memory dump
floss pid.1234.dmp

Best Practices

Acquisition Best Practices

Minimize footprint: Use lightweight acquisition tools
Document everything: Record time, tool, and hash of capture
Verify integrity: Hash memory dump immediately after capture
Chain of custody: Maintain proper forensic handling

Analysis Best Practices

Start broad: Get overview before deep diving
Cross-reference: Use multiple plugins for same data
Timeline correlation: Correlate memory findings with disk/network
Document findings: Keep detailed notes and screenshots
Validate results: Verify findings through multiple methods

Common Pitfalls

Stale data: Memory is volatile, analyze promptly
Incomplete dumps: Verify dump size matches expected RAM
Symbol issues: Ensure correct symbol files for OS version
Smear: Memory may change during acquisition
Encryption: Some data may be encrypted in memory

Comments

Loading comments...