← Back to Skills Marketplace
Memory Forensics
by
Solomon Neas
· GitHub ↗
· v1.0.1
· MIT-0
293
Downloads
1
Stars
1
Active Installs
2
Versions
Install in OpenClaw
/install memory-forensics
Description
Memory forensics with Volatility and related tools. Acquire RAM dumps, extract processes and DLLs, investigate rootkits and fileless malware, recover credent...
Usage Guidance
This is a coherent, domain-appropriate memory-forensics playbook, but it performs high-impact, privileged actions. Before using it: ensure you have legal/organizational authorization to acquire and analyze RAM; run commands on controlled evidence or isolates (not production systems) because dd/insmod and memory acquisition can crash systems; verify sources before running installs (pip install volatility3) and symbol downloads; be aware that memory images contain sensitive secrets (passwords, tokens) — handle and store them securely. Note the referenced resources/implementation-playbook.md is missing from the skill bundle; if you expect implementation artifacts, ask the author for the missing file.
Capability Analysis
Type: OpenClaw Skill
Name: memory-forensics
Version: 1.0.1
The memory-forensics skill bundle is a legitimate and well-structured guide for performing memory analysis using Volatility 3 and various acquisition tools like WinPmem, LiME, and DumpIt. It provides standard forensic workflows, command references for process and network analysis, and methods for detecting memory injection or extracting credentials in an incident response context. No evidence of malicious intent, data exfiltration, or prompt injection was found; all content aligns with the stated professional forensic purpose.
Capability Assessment
Purpose & Capability
Name/description match the provided SKILL.md: guidance and commands for acquiring memory, using Volatility plugins, and forensic workflows. No unrelated credentials, binaries, or capabilities are requested.
Instruction Scope
Instructions stay within memory-forensics tasks (acquisition, analysis, dumping processes, YARA scanning). They include privileged operations (sudo dd, insmod for LiME, kernel-level actions and credential extraction) which are expected for this domain but are high-impact; the SKILL.md refers to resources/implementation-playbook.md which is not present in the manifest.
Install Mechanism
No install spec in the skill bundle (instruction-only). The document suggests common installs (pip install volatility3, downloading symbol tables from the Volatility Foundation) which are standard for this toolset and are proportional to the stated purpose.
Credentials
The skill declares no required environment variables, credentials, or config paths. The instructions do describe extracting credentials from memory (a normal forensic capability) but do not request external secrets or unrelated system credentials.
Persistence & Privilege
always is false and the skill is user-invocable. It does not request persistent or elevated platform privileges beyond normal agent invocation, and it does not attempt to modify other skills or system-wide agent settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install memory-forensics - After installation, invoke the skill by name or use
/memory-forensics - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.1
Natural description rewrite
v1.0.0
Initial release of the memory-forensics skill.
- Provides comprehensive guidance for acquiring and analyzing RAM dumps across Windows, Linux, macOS, and virtual machines.
- Documents the use of Volatility 2 and 3 plugins for process, network, registry, and file system artifact extraction.
- Outlines workflows for malware analysis and incident response using memory forensics.
- Includes acquisition tool instructions (LiME, WinPmem, DumpIt), timeline reconstruction, and artifact extraction.
- Lists relevant Windows data structures and process injection detection techniques.
- Clearly defines scope: memory forensics only; excludes file, network, and disk forensics.
Metadata
Frequently Asked Questions
What is Memory Forensics?
Memory forensics with Volatility and related tools. Acquire RAM dumps, extract processes and DLLs, investigate rootkits and fileless malware, recover credent... It is an AI Agent Skill for Claude Code / OpenClaw, with 293 downloads so far.
How do I install Memory Forensics?
Run "/install memory-forensics" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Memory Forensics free?
Yes, Memory Forensics is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Memory Forensics support?
Memory Forensics is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Memory Forensics?
It is built and maintained by Solomon Neas (@solomonneas); the current version is v1.0.1.
More Skills