extracting-memory-artifacts-with-rekall

Solid

Uses Rekall memory forensics framework to analyze memory dumps for process hollowing, injected code via VAD anomalies, hidden processes, and rootkit detection. Applies plugins like pslist, psscan, vadinfo, malfind, and dlllist to extract forensic artifacts from Windows memory images. Use during incident response memory analysis.

AI & Automation 16,326 stars 1981 forks Updated 2 weeks ago Apache-2.0

Install

View on GitHub

Quality Score: 95/100

Stars 20%
100
Recency 20%
90
Frontmatter 20%
70
Documentation 15%
91
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Extracting Memory Artifacts with Rekall ## When to Use - When performing authorized security testing that involves extracting memory artifacts with rekall - When analyzing malware samples or attack artifacts in a controlled environment - When conducting red team exercises or penetration testing engagements - When building detection capabilities based on offensive technique understanding ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Use Rekall to analyze memory dumps for signs of compromise including process injection, hidden processes, and suspicious network connections. ```python from rekall import session from rekall import plugins # Create a Rekall session with a memory image s = session.Session( filename="/path/to/memory.raw", autodetect=["rsds"], profile_path=["https://github.com/google/rekall-profiles/raw/master"] ) # List processes for proc in s.plugins.pslist(): print(proc) # Detect injected code for result in s.plugins.malfind(): print(result) ``` Key analysis steps: 1. Load memory image and auto-detect profile 2. Run pslist and psscan to find hidden processes 3. Use malfind to detect injected/hollowed code in process VADs 4. Examine network connections with netscan 5. Extract suspicious DLLs and drivers with dlllist/modules ## ...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
2 weeks ago
Language
Python
License
Apache-2.0

Bundled in these plugins

cybersecurity-skills

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

performing-memory-forensics-with-volatility3-plugins

Analyze memory dumps using Volatility3 plugins to detect injected code, rootkits, credential theft, and malware artifacts in Windows, Linux, and macOS memory images.

16,326 Updated 2 weeks ago
mukul975
AI & Automation Solid

memory-forensics

Master memory forensics techniques including memory acquisition, process analysis, and artifact extraction using Volatility and related tools. Use when analyzing memory dumps, investigating incidents, or performing malware analysis from RAM captures.

36,924 Updated yesterday
wshobson
AI & Automation Featured

conducting-memory-forensics-with-volatility

Performs memory forensics analysis using Volatility 3 to extract evidence of malware execution, process injection, network connections, and credential theft from RAM dumps captured during incident response. Covers memory acquisition, process analysis, DLL inspection, and malware detection. Activates for requests involving memory forensics, RAM analysis, Volatility framework, memory dump investigation, volatile evidence analysis, or live memory acquisition.

16,326 Updated 2 weeks ago
mukul975