{"id":"ef09e8a7-cf93-4db2-9d52-78696c8dd6aa","shortId":"qhkqhw","kind":"skill","title":"memory-forensics","tagline":"Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.","description":"# Memory Forensics\n\nComprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis.\n\n## Use this skill when\n\n- Working on memory forensics tasks or workflows\n- Needing guidance, best practices, or checklists for memory forensics\n\n## Do not use this skill when\n\n- The task is unrelated to memory forensics\n- You need a different domain or tool outside this scope\n\n## Instructions\n\n- Clarify goals, constraints, and required inputs.\n- Apply relevant best practices and validate outcomes.\n- Provide actionable steps and verification.\n- If detailed examples are required, open `resources/implementation-playbook.md`.\n\n## Memory Acquisition\n\n### Live Acquisition Tools\n\n#### Windows\n```powershell\n# WinPmem (Recommended)\nwinpmem_mini_x64.exe memory.raw\n\n# DumpIt\nDumpIt.exe\n\n# Belkasoft RAM Capturer\n# GUI-based, outputs raw format\n\n# Magnet RAM Capture\n# GUI-based, outputs raw format\n```\n\n#### Linux\n```bash\n# LiME (Linux Memory Extractor)\nsudo insmod lime.ko \"path=/tmp/memory.lime format=lime\"\n\n# /dev/mem (limited, requires permissions)\nsudo dd if=/dev/mem of=memory.raw bs=1M\n\n# /proc/kcore (ELF format)\nsudo cp /proc/kcore memory.elf\n```\n\n#### macOS\n```bash\n# osxpmem\nsudo ./osxpmem -o memory.raw\n\n# MacQuisition (commercial)\n```\n\n### Virtual Machine Memory\n\n```bash\n# VMware: .vmem file is raw memory\ncp vm.vmem memory.raw\n\n# VirtualBox: Use debug console\nvboxmanage debugvm \"VMName\" dumpvmcore --filename memory.elf\n\n# QEMU\nvirsh dump <domain> memory.raw --memory-only\n\n# Hyper-V\n# Checkpoint contains memory state\n```\n\n## Volatility 3 Framework\n\n### Installation and Setup\n\n```bash\n# Install Volatility 3\npip install volatility3\n\n# Install symbol tables (Windows)\n# Download from https://downloads.volatilityfoundation.org/volatility3/symbols/\n\n# Basic usage\nvol -f memory.raw <plugin>\n\n# With symbol path\nvol -f memory.raw -s /path/to/symbols windows.pslist\n```\n\n### Essential Plugins\n\n#### Process Analysis\n```bash\n# List processes\nvol -f memory.raw windows.pslist\n\n# Process tree (parent-child relationships)\nvol -f memory.raw windows.pstree\n\n# Hidden process detection\nvol -f memory.raw windows.psscan\n\n# Process memory dumps\nvol -f memory.raw windows.memmap --pid <PID> --dump\n\n# Process environment variables\nvol -f memory.raw windows.envars --pid <PID>\n\n# Command line arguments\nvol -f memory.raw windows.cmdline\n```\n\n#### Network Analysis\n```bash\n# Network connections\nvol -f memory.raw windows.netscan\n\n# Network connection state\nvol -f memory.raw windows.netstat\n```\n\n#### DLL and Module Analysis\n```bash\n# Loaded DLLs per process\nvol -f memory.raw windows.dlllist --pid <PID>\n\n# Find hidden/injected DLLs\nvol -f memory.raw windows.ldrmodules\n\n# Kernel modules\nvol -f memory.raw windows.modules\n\n# Module dumps\nvol -f memory.raw windows.moddump --pid <PID>\n```\n\n#### Memory Injection Detection\n```bash\n# Detect code injection\nvol -f memory.raw windows.malfind\n\n# VAD (Virtual Address Descriptor) analysis\nvol -f memory.raw windows.vadinfo --pid <PID>\n\n# Dump suspicious memory regions\nvol -f memory.raw windows.vadyarascan --yara-rules rules.yar\n```\n\n#### Registry Analysis\n```bash\n# List registry hives\nvol -f memory.raw windows.registry.hivelist\n\n# Print registry key\nvol -f memory.raw windows.registry.printkey --key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\n\n# Dump registry hive\nvol -f memory.raw windows.registry.hivescan --dump\n```\n\n#### File System Artifacts\n```bash\n# Scan for file objects\nvol -f memory.raw windows.filescan\n\n# Dump files from memory\nvol -f memory.raw windows.dumpfiles --pid <PID>\n\n# MFT analysis\nvol -f memory.raw windows.mftscan\n```\n\n### Linux Analysis\n\n```bash\n# Process listing\nvol -f memory.raw linux.pslist\n\n# Process tree\nvol -f memory.raw linux.pstree\n\n# Bash history\nvol -f memory.raw linux.bash\n\n# Network connections\nvol -f memory.raw linux.sockstat\n\n# Loaded kernel modules\nvol -f memory.raw linux.lsmod\n\n# Mount points\nvol -f memory.raw linux.mount\n\n# Environment variables\nvol -f memory.raw linux.envars\n```\n\n### macOS Analysis\n\n```bash\n# Process listing\nvol -f memory.raw mac.pslist\n\n# Process tree\nvol -f memory.raw mac.pstree\n\n# Network connections\nvol -f memory.raw mac.netstat\n\n# Kernel extensions\nvol -f memory.raw mac.lsmod\n```\n\n## Analysis Workflows\n\n### Malware Analysis Workflow\n\n```bash\n# 1. Initial process survey\nvol -f memory.raw windows.pstree > processes.txt\nvol -f memory.raw windows.pslist > pslist.txt\n\n# 2. Network connections\nvol -f memory.raw windows.netscan > network.txt\n\n# 3. Detect injection\nvol -f memory.raw windows.malfind > malfind.txt\n\n# 4. Analyze suspicious processes\nvol -f memory.raw windows.dlllist --pid <PID>\nvol -f memory.raw windows.handles --pid <PID>\n\n# 5. Dump suspicious executables\nvol -f memory.raw windows.pslist --pid <PID> --dump\n\n# 6. Extract strings from dumps\nstrings -a pid.<PID>.exe > strings.txt\n\n# 7. YARA scanning\nvol -f memory.raw windows.yarascan --yara-rules malware.yar\n```\n\n### Incident Response Workflow\n\n```bash\n# 1. Timeline of events\nvol -f memory.raw windows.timeliner > timeline.csv\n\n# 2. User activity\nvol -f memory.raw windows.cmdline\nvol -f memory.raw windows.consoles\n\n# 3. Persistence mechanisms\nvol -f memory.raw windows.registry.printkey \\\n    --key \"Software\\Microsoft\\Windows\\CurrentVersion\\Run\"\n\n# 4. Services\nvol -f memory.raw windows.svcscan\n\n# 5. Scheduled tasks\nvol -f memory.raw windows.scheduled_tasks\n\n# 6. Recent files\nvol -f memory.raw windows.filescan | grep -i \"recent\"\n```\n\n## Data Structures\n\n### Windows Process Structures\n\n```c\n// EPROCESS (Executive Process)\ntypedef struct _EPROCESS {\n    KPROCESS Pcb;                    // Kernel process block\n    EX_PUSH_LOCK ProcessLock;\n    LARGE_INTEGER CreateTime;\n    LARGE_INTEGER ExitTime;\n    // ...\n    LIST_ENTRY ActiveProcessLinks;   // Doubly-linked list\n    ULONG_PTR UniqueProcessId;       // PID\n    // ...\n    PEB* Peb;                        // Process Environment Block\n    // ...\n} EPROCESS;\n\n// PEB (Process Environment Block)\ntypedef struct _PEB {\n    BOOLEAN InheritedAddressSpace;\n    BOOLEAN ReadImageFileExecOptions;\n    BOOLEAN BeingDebugged;           // Anti-debug check\n    // ...\n    PVOID ImageBaseAddress;          // Base address of executable\n    PPEB_LDR_DATA Ldr;              // Loader data (DLL list)\n    PRTL_USER_PROCESS_PARAMETERS ProcessParameters;\n    // ...\n} PEB;\n```\n\n### VAD (Virtual Address Descriptor)\n\n```c\ntypedef struct _MMVAD {\n    MMVAD_SHORT Core;\n    union {\n        ULONG LongFlags;\n        MMVAD_FLAGS VadFlags;\n    } u;\n    // ...\n    PVOID FirstPrototypePte;\n    PVOID LastContiguousPte;\n    // ...\n    PFILE_OBJECT FileObject;\n} MMVAD;\n\n// Memory protection flags\n#define PAGE_EXECUTE           0x10\n#define PAGE_EXECUTE_READ      0x20\n#define PAGE_EXECUTE_READWRITE 0x40\n#define PAGE_EXECUTE_WRITECOPY 0x80\n```\n\n## Detection Patterns\n\n### Process Injection Indicators\n\n```python\n# Malfind indicators\n# - PAGE_EXECUTE_READWRITE protection (suspicious)\n# - MZ header in non-image VAD region\n# - Shellcode patterns at allocation start\n\n# Common injection techniques\n# 1. Classic DLL Injection\n#    - VirtualAllocEx + WriteProcessMemory + CreateRemoteThread\n\n# 2. Process Hollowing\n#    - CreateProcess (SUSPENDED) + NtUnmapViewOfSection + WriteProcessMemory\n\n# 3. APC Injection\n#    - QueueUserAPC targeting alertable threads\n\n# 4. Thread Execution Hijacking\n#    - SuspendThread + SetThreadContext + ResumeThread\n```\n\n### Rootkit Detection\n\n```bash\n# Compare process lists\nvol -f memory.raw windows.pslist > pslist.txt\nvol -f memory.raw windows.psscan > psscan.txt\ndiff pslist.txt psscan.txt  # Hidden processes\n\n# Check for DKOM (Direct Kernel Object Manipulation)\nvol -f memory.raw windows.callbacks\n\n# Detect hooked functions\nvol -f memory.raw windows.ssdt  # System Service Descriptor Table\n\n# Driver analysis\nvol -f memory.raw windows.driverscan\nvol -f memory.raw windows.driverirp\n```\n\n### Credential Extraction\n\n```bash\n# Dump hashes (requires hivelist first)\nvol -f memory.raw windows.hashdump\n\n# LSA secrets\nvol -f memory.raw windows.lsadump\n\n# Cached domain credentials\nvol -f memory.raw windows.cachedump\n\n# Mimikatz-style extraction\n# Requires specific plugins/tools\n```\n\n## YARA Integration\n\n### Writing Memory YARA Rules\n\n```yara\nrule Suspicious_Injection\n{\n    meta:\n        description = \"Detects common injection shellcode\"\n\n    strings:\n        // Common shellcode patterns\n        $mz = { 4D 5A }\n        $shellcode1 = { 55 8B EC 83 EC }  // Function prologue\n        $api_hash = { 68 ?? ?? ?? ?? 68 ?? ?? ?? ?? E8 }  // Push hash, call\n\n    condition:\n        $mz at 0 or any of ($shellcode*)\n}\n\nrule Cobalt_Strike_Beacon\n{\n    meta:\n        description = \"Detects Cobalt Strike beacon in memory\"\n\n    strings:\n        $config = { 00 01 00 01 00 02 }\n        $sleep = \"sleeptime\"\n        $beacon = \"%s (admin)\" wide\n\n    condition:\n        2 of them\n}\n```\n\n### Scanning Memory\n\n```bash\n# Scan all process memory\nvol -f memory.raw windows.yarascan --yara-rules rules.yar\n\n# Scan specific process\nvol -f memory.raw windows.yarascan --yara-rules rules.yar --pid 1234\n\n# Scan kernel memory\nvol -f memory.raw windows.yarascan --yara-rules rules.yar --kernel\n```\n\n## String Analysis\n\n### Extracting Strings\n\n```bash\n# Basic string extraction\nstrings -a memory.raw > all_strings.txt\n\n# Unicode strings\nstrings -el memory.raw >> all_strings.txt\n\n# Targeted extraction from process dump\nvol -f memory.raw windows.memmap --pid 1234 --dump\nstrings -a pid.1234.dmp > process_strings.txt\n\n# Pattern matching\ngrep -E \"(https?://|[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3}\\.[0-9]{1,3})\" all_strings.txt\n```\n\n### FLOSS for Obfuscated Strings\n\n```bash\n# FLOSS extracts obfuscated strings\nfloss malware.exe > floss_output.txt\n\n# From memory dump\nfloss pid.1234.dmp\n```\n\n## Best Practices\n\n### Acquisition Best Practices\n\n1. **Minimize footprint**: Use lightweight acquisition tools\n2. **Document everything**: Record time, tool, and hash of capture\n3. **Verify integrity**: Hash memory dump immediately after capture\n4. **Chain of custody**: Maintain proper forensic handling\n\n### Analysis Best Practices\n\n1. **Start broad**: Get overview before deep diving\n2. **Cross-reference**: Use multiple plugins for same data\n3. **Timeline correlation**: Correlate memory findings with disk/network\n4. **Document findings**: Keep detailed notes and screenshots\n5. **Validate results**: Verify findings through multiple methods\n\n### Common Pitfalls\n\n- **Stale data**: Memory is volatile, analyze promptly\n- **Incomplete dumps**: Verify dump size matches expected RAM\n- **Symbol issues**: Ensure correct symbol files for OS version\n- **Smear**: Memory may change during acquisition\n- **Encryption**: Some data may be encrypted in memory\n\n## Limitations\n- Use this skill only when the task clearly matches the scope described above.\n- Do not treat the output as a substitute for environment-specific validation, testing, or expert review.\n- Stop and ask for clarification if required inputs, permissions, safety boundaries, or success criteria are missing.","tags":["memory","forensics","antigravity","awesome","skills","sickn33","agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows"],"capabilities":["skill","source-sickn33","skill-memory-forensics","topic-agent-skills","topic-agentic-skills","topic-ai-agent-skills","topic-ai-agents","topic-ai-coding","topic-ai-workflows","topic-antigravity","topic-antigravity-skills","topic-claude-code","topic-claude-code-skills","topic-codex-cli","topic-codex-skills"],"categories":["antigravity-awesome-skills"],"synonyms":[],"warnings":[],"endpointUrl":"https://skills.sh/sickn33/antigravity-awesome-skills/memory-forensics","protocol":"skill","transport":"skills-sh","auth":{"type":"none","details":{"cli":"npx skills add sickn33/antigravity-awesome-skills","source_repo":"https://github.com/sickn33/antigravity-awesome-skills","install_from":"skills.sh"}},"qualityScore":"0.700","qualityRationale":"deterministic score 0.70 from registry signals: · indexed on github topic:agent-skills · 34726 github stars · SKILL.md body (11,066 chars)","verified":false,"liveness":"unknown","lastLivenessCheck":null,"agentReviews":{"count":0,"score_avg":null,"cost_usd_avg":null,"success_rate":null,"latency_p50_ms":null,"narrative_summary":null,"summary_updated_at":null},"enrichmentModel":"deterministic:skill-github:v1","enrichmentVersion":1,"enrichedAt":"2026-04-23T12:51:13.838Z","embedding":null,"createdAt":"2026-04-18T21:40:39.518Z","updatedAt":"2026-04-23T12:51:13.838Z","lastSeenAt":"2026-04-23T12:51:13.838Z","tsv":"'-9':1090,1094,1098,1102 '/dev/mem':153,160 '/osxpmem':176 '/path/to/symbols':252 '/proc/kcore':165,170 '/tmp/memory.lime':150 '/volatility3/symbols/':239 '0':975,1089,1093,1097,1101 '00':994,996,998 '01':995,997 '02':999 '0x10':775 '0x20':780 '0x40':785 '0x80':790 '1':526,605,820,1091,1095,1099,1103,1128,1165 '1234':1037,1078 '1m':164 '2':540,614,827,1007,1135,1173 '3':219,227,548,625,834,1092,1096,1100,1104,1145,1183 '4':556,638,841,1154,1191 '4d':954 '5':570,644,1199 '55':957 '5a':955 '6':580,652 '68':966,967 '7':590 '83':960 '8b':958 'acquir':7,26 'acquisit':110,112,1125,1133,1238 'action':98 'activ':616 'activeprocesslink':691 'address':369,726,745 'admin':1004 'alert':839 'all_strings.txt':1061,1067,1105 'alloc':815 'analysi':20,39,257,307,325,371,390,442,448,494,520,523,892,1051,1162 'analyz':8,27,557,1214 'anti':720 'anti-debug':719 'apc':835 'api':964 'appli':90 'argument':301 'artifact':11,30,422 'ask':1280 'base':127,136,725 'bash':141,173,184,224,258,308,326,359,391,423,449,462,495,525,604,850,903,1012,1054,1110 'basic':240,1055 'beacon':983,989,1002 'beingdebug':718 'belkasoft':122 'best':53,92,1123,1126,1163 'block':678,704,709 'boolean':713,715,717 'boundari':1288 'broad':1167 'bs':163 'c':667,747 'cach':919 'call':971 'captur':124,133,1144,1153 'chain':1155 'chang':1236 'check':722,869 'checklist':56 'checkpoint':214 'child':269 'clarif':1282 'clarifi':84 'classic':821 'clear':1255 'cobalt':981,987 'code':361 'command':299 'commerci':180 'common':817,946,950,1207 'compar':851 'comprehens':4,23 'condit':972,1006 'config':993 'connect':310,316,469,509,542 'consol':197 'constraint':86 'contain':215 'core':753 'correct':1227 'correl':1185,1186 'cp':169,191 'createprocess':830 'createremotethread':826 'createtim':685 'credenti':901,921 'criteria':1291 'cross':1175 'cross-refer':1174 'currentvers':410,636 'custodi':1157 'data':662,731,734,1182,1210,1241 'dd':158 'debug':196,721 'debugvm':199 'deep':1171 'defin':772,776,781,786 'describ':1259 'descript':944,985 'descriptor':370,746,889 'detail':103,1195 'detect':277,358,360,549,791,849,880,945,986 'diff':864 'differ':76 'direct':872 'disk/network':1190 'dive':1172 'dkom':871 'dll':322,735,822 'dlls':328,338 'document':1136,1192 'domain':77,920 'doubli':693 'doubly-link':692 'download':235 'downloads.volatilityfoundation.org':238 'downloads.volatilityfoundation.org/volatility3/symbols/':237 'driver':891 'dump':14,33,206,284,290,350,377,412,419,432,571,579,584,904,1072,1079,1120,1150,1217,1219 'dumpit':120 'dumpit.exe':121 'dumpvmcor':201 'e':1087 'e8':968 'ec':959,961 'el':1065 'elf':166 'encrypt':1239,1244 'ensur':1226 'entri':690 'environ':292,487,703,708,1271 'environment-specif':1270 'eprocess':668,673,705 'essenti':254 'event':608 'everyth':1137 'ex':679 'exampl':104 'exe':588 'execut':573,669,728,774,778,783,788,800,843 'exittim':688 'expect':1222 'expert':1276 'extens':515 'extract':10,29,581,902,929,1052,1057,1069,1112 'extractor':145 'f':243,249,262,272,279,286,295,303,312,319,332,340,346,352,364,373,382,396,403,416,429,437,444,453,459,465,471,478,484,490,499,505,511,517,531,536,544,552,561,566,575,594,610,618,622,629,641,648,656,855,860,877,884,894,898,910,916,923,1018,1029,1042,1074 'file':187,420,426,433,654,1229 'filenam':202 'fileobject':767 'find':336,1188,1193,1203 'first':908 'firstprototypept':762 'flag':758,771 'floss':1106,1111,1115,1121 'floss_output.txt':1117 'footprint':1130 'forens':3,22,47,59,72,1160 'format':130,139,151,167 'framework':220 'function':882,962 'get':1168 'goal':85 'grep':659,1086 'gui':126,135 'gui-bas':125,134 'guidanc':52 'handl':1161 'hash':905,965,970,1142,1148 'header':805 'hidden':275,867 'hidden/injected':337 'hijack':844 'histori':463 'hive':394,414 'hivelist':907 'hollow':829 'hook':881 'https':1088 'hyper':212 'hyper-v':211 'imag':809 'imagebaseaddress':724 'immedi':1151 'incid':16,35,601 'incomplet':1216 'indic':795,798 'inheritedaddressspac':714 'initi':527 'inject':357,362,550,794,818,823,836,942,947 'input':89,1285 'insmod':147 'instal':221,225,229,231 'instruct':83 'integ':684,687 'integr':934,1147 'issu':1225 'keep':1194 'kernel':343,475,514,676,873,1039,1049 'key':401,406,632 'kprocess':674 'larg':683,686 'lastcontiguouspt':764 'ldr':730,732 'lightweight':1132 'lime':142,152 'lime.ko':148 'limit':154,1247 'line':300 'link':694 'linux':140,143,447 'linux.bash':467 'linux.envars':492 'linux.lsmod':480 'linux.mount':486 'linux.pslist':455 'linux.pstree':461 'linux.sockstat':473 'list':259,392,451,497,689,695,736,853 'live':111 'load':327,474 'loader':733 'lock':681 'longflag':756 'lsa':913 'mac.lsmod':519 'mac.netstat':513 'mac.pslist':501 'mac.pstree':507 'machin':182 'maco':172,493 'macquisit':179 'magnet':131 'maintain':1158 'malfind':797 'malfind.txt':555 'malwar':19,38,522 'malware.exe':1116 'malware.yar':600 'manipul':875 'match':1085,1221,1256 'may':1235,1242 'mechan':627 'memori':2,13,21,32,46,58,71,109,144,183,190,209,216,283,356,379,435,769,936,991,1011,1016,1040,1119,1149,1187,1211,1234,1246 'memory-forens':1 'memory-on':208 'memory.elf':171,203 'memory.raw':119,162,178,193,207,244,250,263,273,280,287,296,304,313,320,333,341,347,353,365,374,383,397,404,417,430,438,445,454,460,466,472,479,485,491,500,506,512,518,532,537,545,553,562,567,576,595,611,619,623,630,642,649,657,856,861,878,885,895,899,911,917,924,1019,1030,1043,1060,1066,1075 'meta':943,984 'method':1206 'mft':441 'microsoft':408,634 'mimikatz':927 'mimikatz-styl':926 'minim':1129 'miss':1293 'mmvad':750,751,757,768 'modul':324,344,349,476 'mount':481 'multipl':1178,1205 'mz':804,953,973 'need':51,74 'network':306,309,315,468,508,541 'network.txt':547 'non':808 'non-imag':807 'note':1196 'ntunmapviewofsect':832 'o':177 'obfusc':1108,1113 'object':427,766,874 'open':107 'os':1231 'osxpmem':174 'outcom':96 'output':128,137,1265 'outsid':80 'overview':1169 'page':773,777,782,787,799 'paramet':740 'parent':268 'parent-child':267 'path':149,247 'pattern':792,813,952,1084 'pcb':675 'peb':700,701,706,712,742 'per':329 'permiss':156,1286 'persist':626 'pfile':765 'pid':289,298,335,355,376,440,564,569,578,587,699,1036,1077 'pid.1234.dmp':1082,1122 'pip':228 'pitfal':1208 'plugin':255,1179 'plugins/tools':932 'point':482 'powershel':115 'ppeb':729 'practic':54,93,1124,1127,1164 'print':399 'process':256,260,265,276,282,291,330,450,456,496,502,528,559,665,670,677,702,707,739,793,828,852,868,1015,1027,1071 'process_strings.txt':1083 'processes.txt':534 'processlock':682 'processparamet':741 'prologu':963 'prompt':1215 'proper':1159 'protect':770,802 'provid':97 'prtl':737 'pslist.txt':539,858,865 'psscan.txt':863,866 'ptr':697 'push':680,969 'pvoid':723,761,763 'python':796 'qemu':204 'queueuserapc':837 'ram':123,132,1223 'raw':129,138,189 'read':779 'readimagefileexecopt':716 'readwrit':784,801 'recent':653,661 'recommend':117 'record':1138 'refer':1176 'region':380,811 'registri':389,393,400,413 'relationship':270 'relev':91 'requir':88,106,155,906,930,1284 'resources/implementation-playbook.md':108 'respons':17,36,602 'result':1201 'resumethread':847 'review':1277 'rootkit':848 'rule':387,599,938,940,980,1023,1034,1047 'rules.yar':388,1024,1035,1048 'run':411,637 'safeti':1287 'scan':424,592,1010,1013,1025,1038 'schedul':645 'scope':82,1258 'screenshot':1198 'secret':914 'servic':639,888 'setthreadcontext':846 'setup':223 'shellcod':812,948,951,979 'shellcode1':956 'short':752 'size':1220 'skill':42,64,1250 'skill-memory-forensics' 'sleep':1000 'sleeptim':1001 'smear':1233 'softwar':407,633 'source-sickn33' 'specif':931,1026,1272 'stale':1209 'start':816,1166 'state':217,317 'step':99 'stop':1278 'strike':982,988 'string':582,585,949,992,1050,1053,1056,1058,1063,1064,1080,1109,1114 'strings.txt':589 'struct':672,711,749 'structur':663,666 'style':928 'substitut':1268 'success':1290 'sudo':146,157,168,175 'survey':529 'suspend':831 'suspendthread':845 'suspici':378,558,572,803,941 'symbol':232,246,1224,1228 'system':421,887 'tabl':233,890 'target':838,1068 'task':48,67,646,651,1254 'techniqu':5,24,819 'test':1274 'thread':840,842 'time':1139 'timelin':606,1184 'timeline.csv':613 'tool':79,113,1134,1140 'topic-agent-skills' 'topic-agentic-skills' 'topic-ai-agent-skills' 'topic-ai-agents' 'topic-ai-coding' 'topic-ai-workflows' 'topic-antigravity' 'topic-antigravity-skills' 'topic-claude-code' 'topic-claude-code-skills' 'topic-codex-cli' 'topic-codex-skills' 'treat':1263 'tree':266,457,503 'typedef':671,710,748 'u':760 'ulong':696,755 'unicod':1062 'union':754 'uniqueprocessid':698 'unrel':69 'usag':241 'use':40,62,195,1131,1177,1248 'user':615,738 'v':213 'vad':367,743,810 'vadflag':759 'valid':95,1200,1273 'variabl':293,488 'vboxmanag':198 'verif':101 'verifi':1146,1202,1218 'version':1232 'virsh':205 'virtual':181,368,744 'virtualallocex':824 'virtualbox':194 'vm.vmem':192 'vmem':186 'vmname':200 'vmware':185 'vol':242,248,261,271,278,285,294,302,311,318,331,339,345,351,363,372,381,395,402,415,428,436,443,452,458,464,470,477,483,489,498,504,510,516,530,535,543,551,560,565,574,593,609,617,621,628,640,647,655,854,859,876,883,893,897,909,915,922,1017,1028,1041,1073 'volatil':218,226,1213 'volatility3':230 'wide':1005 'window':114,234,409,635,664 'windows.cachedump':925 'windows.callbacks':879 'windows.cmdline':305,620 'windows.consoles':624 'windows.dlllist':334,563 'windows.driverirp':900 'windows.driverscan':896 'windows.dumpfiles':439 'windows.envars':297 'windows.filescan':431,658 'windows.handles':568 'windows.hashdump':912 'windows.ldrmodules':342 'windows.lsadump':918 'windows.malfind':366,554 'windows.memmap':288,1076 'windows.mftscan':446 'windows.moddump':354 'windows.modules':348 'windows.netscan':314,546 'windows.netstat':321 'windows.pslist':253,264,538,577,857 'windows.psscan':281,862 'windows.pstree':274,533 'windows.registry.hivelist':398 'windows.registry.hivescan':418 'windows.registry.printkey':405,631 'windows.scheduled':650 'windows.ssdt':886 'windows.svcscan':643 'windows.timeliner':612 'windows.vadinfo':375 'windows.vadyarascan':384 'windows.yarascan':596,1020,1031,1044 'winpmem':116 'winpmem_mini_x64.exe':118 'work':44 'workflow':50,521,524,603 'write':935 'writecopi':789 'writeprocessmemori':825,833 'yara':386,591,598,933,937,939,1022,1033,1046 'yara-rul':385,597,1021,1032,1045","prices":[{"id":"b46a3671-8ff9-4453-8f3d-adc05892b34e","listingId":"ef09e8a7-cf93-4db2-9d52-78696c8dd6aa","amountUsd":"0","unit":"free","nativeCurrency":null,"nativeAmount":null,"chain":null,"payTo":null,"paymentMethod":"skill-free","isPrimary":true,"details":{"org":"sickn33","category":"antigravity-awesome-skills","install_from":"skills.sh"},"createdAt":"2026-04-18T21:40:39.518Z"}],"sources":[{"listingId":"ef09e8a7-cf93-4db2-9d52-78696c8dd6aa","source":"github","sourceId":"sickn33/antigravity-awesome-skills/memory-forensics","sourceUrl":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/memory-forensics","isPrimary":false,"firstSeenAt":"2026-04-18T21:40:39.518Z","lastSeenAt":"2026-04-23T12:51:13.838Z"}],"details":{"listingId":"ef09e8a7-cf93-4db2-9d52-78696c8dd6aa","quickStartSnippet":null,"exampleRequest":null,"exampleResponse":null,"schema":null,"openapiUrl":null,"agentsTxtUrl":null,"citations":[],"useCases":[],"bestFor":[],"notFor":[],"kindDetails":{"org":"sickn33","slug":"memory-forensics","github":{"repo":"sickn33/antigravity-awesome-skills","stars":34726,"topics":["agent-skills","agentic-skills","ai-agent-skills","ai-agents","ai-coding","ai-workflows","antigravity","antigravity-skills","claude-code","claude-code-skills","codex-cli","codex-skills","cursor","cursor-skills","developer-tools","gemini-cli","gemini-skills","kiro","mcp","skill-library"],"license":"mit","html_url":"https://github.com/sickn33/antigravity-awesome-skills","pushed_at":"2026-04-23T06:41:03Z","description":"Installable GitHub library of 1,400+ agentic skills for Claude Code, Cursor, Codex CLI, Gemini CLI, Antigravity, and more. Includes installer CLI, bundles, workflows, and official/community skill collections.","skill_md_sha":"0039327c41ddecf0114e8b04b8cbfc3cd365a935","skill_md_path":"skills/memory-forensics/SKILL.md","default_branch":"main","skill_tree_url":"https://github.com/sickn33/antigravity-awesome-skills/tree/main/skills/memory-forensics"},"layout":"multi","source":"github","category":"antigravity-awesome-skills","frontmatter":{"name":"memory-forensics","description":"Comprehensive techniques for acquiring, analyzing, and extracting artifacts from memory dumps for incident response and malware analysis."},"skills_sh_url":"https://skills.sh/sickn33/antigravity-awesome-skills/memory-forensics"},"updatedAt":"2026-04-23T12:51:13.838Z"}}