Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).

Educational, CTF-styled labs for individuals interested in Memory Forensics

AVML - Acquire Volatile Memory for Linux

Dynamic unpacker based on PE-sieve

WinDBG Anti-RootKit Extension

MemProcFS-Analyzer - Automated Forensic Analysis of Windows Memory Dumps for DFIR

SIFT

Data Visualization Plugin for IDA Pro

Volatile Artifact Collector collects a snapshot of volatile data from a system. It tells you what is happening on a system, and is of particular use when investigating a security incident.

Allows you to quickly query a Windows machine for RAM artifacts

Collect-MemoryDump - Automated Creation of Windows Memory Snapshots for DFIR

A course on "Digital Forensics" designed and offered in the Computer Science Department at Texas Tech University

Hyper-V Research is trendy now

Rip Raw is a small tool to analyse the memory of compromised Linux systems.

A short and small memory forensics helper.

C# Implementation of Jared Atkinson's Get-InjectedThread.ps1

A curated list of awesome malware analysis tools and resources

A script to assist in processing forensic RAM captures for malware triage

Volatility, on Docker 🐳