analyzing-memory-forensics-with-lime-and-volatility

Performs Linux memory acquisition using LiME (Linux Memory Extractor) kernel module and analysis with Volatility 3 framework. Extracts process lists, network connections, bash history, loaded kernel modules, and injected code from Linux memory images. Use when performing incident response on compromised Linux systems.

Safety Notice

This listing is imported from skills.sh public index metadata. Review upstream SKILL.md and repository scripts before running.

Copy this and send it to your AI assistant to learn

Install skill "analyzing-memory-forensics-with-lime-and-volatility" with this command: npx skills add mukul975/anthropic-cybersecurity-skills/mukul975-anthropic-cybersecurity-skills-analyzing-memory-forensics-with-lime-and-volatility

Analyzing Memory Forensics with LiME and Volatility

Instructions

Acquire Linux memory using LiME kernel module, then analyze with Volatility 3 to extract forensic artifacts from the memory image.

# LiME acquisition
insmod lime-$(uname -r).ko "path=/evidence/memory.lime format=lime"

# Volatility 3 analysis
vol3 -f /evidence/memory.lime linux.pslist
vol3 -f /evidence/memory.lime linux.bash
vol3 -f /evidence/memory.lime linux.sockstat

import volatility3
from volatility3.framework import contexts, automagic
from volatility3.plugins.linux import pslist, bash, sockstat

# Programmatic Volatility 3 usage
context = contexts.Context()
automagics = automagic.available(context)

Key analysis steps:

  1. Acquire memory with LiME (format=lime or format=raw)
  2. List processes with linux.pslist, compare with linux.psscan
  3. Extract bash command history with linux.bash
  4. List network connections with linux.sockstat
  5. Check loaded kernel modules with linux.lsmod for rootkits

Examples

# Full forensic workflow
vol3 -f memory.lime linux.pslist | grep -v "\[kthread\]"
vol3 -f memory.lime linux.bash
vol3 -f memory.lime linux.malfind
vol3 -f memory.lime linux.lsmod

Source Transparency

This detail page is rendered from real SKILL.md content. Trust labels are metadata-based hints, not a safety guarantee.

Open in GitHubOpen in ClawHub

Related Skills

Related by shared tags or category signals.

Security

analyzing-certificate-transparency-for-phishing

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-android-malware-with-apktool

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-network-traffic-with-wireshark

No summary provided by upstream source.

Repository SourceNeeds Review
9-mukul975
Security

analyzing-api-gateway-access-logs

No summary provided by upstream source.

Repository SourceNeeds Review
8-mukul975