AgentSkillsCN

memory-forensics

掌握内存取证技术,包括使用 Volatility 及相关工具进行内存采集、进程分析与证据提取。适用于内存转储分析、事件调查,以及基于 RAM 捕获开展恶意软件分析等工作场景。

SKILL.md
--- frontmatter
version: 4.1.0-fractal
name: memory-forensics
description: Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

Memory Forensics

Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.

Use this skill when

  • Working on memory forensics tasks or workflows
  • Needing guidance, best practices, or checklists for memory forensics

Do not use this skill when

  • The task is unrelated to memory forensics
  • You need a different domain or tool outside this scope

Instructions

  • Clarify goals, constraints, and required inputs.
  • Apply relevant best practices and validate outcomes.
  • Provide actionable steps and verification.
  • If detailed examples are required, open resources/implementation-playbook.md.

Memory Acquisition

🧠 Knowledge Modules (Fractal Skills)

1. Live Acquisition Tools

2. Virtual Machine Memory

3. Installation and Setup

4. Essential Plugins

5. Linux Analysis

6. macOS Analysis

7. Malware Analysis Workflow

8. Incident Response Workflow

9. Windows Process Structures

10. VAD (Virtual Address Descriptor)

11. Process Injection Indicators

12. Rootkit Detection

13. Credential Extraction

14. Writing Memory YARA Rules

15. Scanning Memory

16. Extracting Strings

17. FLOSS for Obfuscated Strings

18. Acquisition Best Practices

19. Analysis Best Practices

20. Common Pitfalls