Memory Forensics

What it does

Comprehensive, practical guidance for memory forensics: acquisition methods (live, VM, macOS/Linux/Windows), analysis workflows using Volatility 3, and detection patterns (injection, rootkits, credential extraction). Includes concrete command examples, tools, and YARA integration so an analyst can perform acquisition, triage, and deeper analysis.

When to use it

Use this skill during incident response, malware analysis, or any investigation that requires volatile memory examination. It's intended for sessions that require step-by-step acquisition advice, Volatility plugin usage, network and process artifact extraction, or YARA scanning of memory images.

What's included

• Scripts: None bundled (has_scripts=false) but contains many copyable CLI examples for WinPmem, LiME, osxpmem, VM dump commands, and Volatility 3 usage.
• References: No separate references directory (has_references=false) but points to symbol downloads and Volatility docs.
• Instructions: Structured instructions and workflows for acquisition (live/VM), common Volatility plugins for process/network/module analysis, malware triage workflow, incident-response checklist, YARA rule examples, and best practices (chain of custody, integrity verification).

Compatible agents

Compatible with agents that can run shell/CLI guidance and provide procedural assistance (examples: Copilot/Code assistants, CLI-capable agents). The material is tool-agnostic and suited to analysts using Volatility 3 and standard forensic utilities.