awesome-memory-forensics
github.com/digitalisx/awesome-memory-forensics ↗A curated list of awesome Memory Forensics for DFIR
Use this list with your AI agent
Add the Context Awesome MCP server to Claude, Cursor, or any MCP client, then ask:
"Show me dfir science resources from awesome-memory-forensics"
Installation instructions →What's inside
Challenges
Course
Videos
- Amazon AWS EC2 Forensic Memory Acquisition - LiMEDFIR Science
LiME
- Detecting Persistence in Memory13 Cubed
- Dumping Processes with Volatility 313 Cubed
- Extracting Prefetch from Memory13 Cubed
- Fast password cracking - Hashcat wordlists from RAMDFIR Science
Hashcat wordlists from RAM
- First Look at Volatility 3 Public Beta13 Cubed
Articles
- A New Tool to Detect Known Malware from Memory Images – impfuzzy for Volatility –JPCERT
- A Volatility Plugin Created for Detecting Malware Used in Targeted AttacksJPCERT
- How to Use Volatility 3 OfflineJPCERT
- MalConfScan with Cuckoo: Plugin to Automatically Extract Malware ConfigurationJPCERT
- Memory analysis using volatility3 (1) - Windows 11Blogs
Windows 11
- Memory analysis using volatility3 (2) - Ubuntu LinuxBlogs
Ubuntu Linux
Tool
- AVMLMemory Acquisition
AVML is an X86_64 userland volatile memory acquisition tool written in Rust, intended to be deployed as a static binary.
- Digital CollectorMemory Acquisition
A powerful forensic imaging software solution to perform triage, live data acquisition and targeted data collection for Windows and Mac computers.
- dwarf2jsonMemory Analysis
Go utility that processes files containing symbol and type information to generate Volatilty3 Intermediate Symbol File (ISF) JSON output suitable for Linux and macOS analysis.
- EVTXtractMemory Acquisition
EVTXtract recovers and reconstructs fragments of EVTX log files from raw binary data, including unallocated space and memory images.
- FEX Memory ImagerMemory Acquisition
FEX Memory Imager (FEX Memory) is a free imaging tool designed to capture the physical Random Access Memory (RAM) of a suspect's running computer. This allows investigators to recover and analyze valuable artifacts found only in memory.
- fmemMemory Acquisition
This module creates /dev/fmem device, that can be used for dumping physical memory, without limits of /dev/mem (1MB/1GB, depending on distribution).
Papers
- BMCLeech: Introducing Stealthy Memory Forensics to BMC Tobias LatzoDFRWS EU 2020
- Defining Atomicity (and Integrity) for Snapshots of Storage in Forensic ComputingDFRWS EU 2022
- Duck Hunt: Memory Forensics of USB Attack PlatformsDFRWS USA 2021
- Extraction and analysis of retrievable memory artifacts from Windows Telegram Desktop applicationDFRWS EU 2022
- Hiding Process Memory via Anti-Forensic TechniquesDFRWS USA 2020
- Juicing V8: A Primary Account for the Memory Forensics of the V8 JavaScript EngineDFRWS USA 2022
Books
- Practical Memory Forensics
Jumpstart effective forensic analysis of volatile memory.
- The Art of Memory Forensics
Detecting Malware and Threats in Windows, Linux, and Mac Memory.
Showing a sample of 102 resources. View the full list on GitHub →