analyzing-memory-forensics-with-lime-and-volatility
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/analyzing-memory-forensics-with-lime-and-volatilityExtract Linux memory artifacts using LiME and Volatility for incident response.
- Recover process lists, network connections, and injected code from compromised systems.
- Depends on LiME kernel module and Volatility 3 framework for data extraction.
- Executes acquisition commands to generate structured forensic artifacts from memory images.
- Delivers extracted data in text format for SOC analysts to review and investigate.
SKILL.md
.github/skills/analyzing-memory-forensics-with-lime-and-volatilityView on GitHub ↗
--- name: analyzing-memory-forensics-with-lime-and-volatility description: > Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems. domain: cybersecurity subdomain: security-operations tags: [analyzing, memory, forensics, with] version: "1.0" author: mahipal license: Apache-2.0 --- # Analyzing Memory Forensics with LiME and Volatility ## When to Use - When investigating security incidents that require analyzing memory forensics with lime and volatility - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions Acquire Linux memory using LiME kernel module, then analyze with Volatility 3 to extract forensic artifacts from the memory image. ```bash # LiME acquisition insmod lime-$(uname -r).ko "path=/evidence/memory.lime format=lime" # Volatility 3 analysis vol3 -f /evidence/memory.lime linux.pslist vol3 -f /evidence/memory.lime linux.bash vol3 -f /evidence/memory.lime linux.sockstat ``` ```python import volatility3 from volatility3.framework import contexts, automagic from volatility3.plugins.linux import pslist, bash, sockstat # Programmatic Volatility 3 usage context = contexts.Context() automagics = automagic.available(context) ``` Key analysis steps: 1. Acquire memory with LiME (format=lime or format=raw) 2. List processes with linux.pslist, compare with linux.psscan 3. Extract bash command history with linux.bash 4. List network connections with linux.sockstat 5. Check loaded kernel modules with linux.lsmod for rootkits ## Examples ```bash # Full forensic workflow vol3 -f memory.lime linux.pslist | grep -v "\[kthread\]" vol3 -f memory.lime linux.bash vol3 -f memory.lime linux.malfind vol3 -f memory.lime linux.lsmod ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.