Unified Memory Forensics MCP Server - Multi-tier engine (Rust + Python + Vol3)
Project description
mem-forensics-mcp
Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage.
Architecture
Three-tier engine automatically routes each tool to the fastest backend:
LLM <-> [mem-forensics-mcp (Python)] <-> memoxide (Rust child, stdio MCP)
<-> Volatility3 (Python library)
| Tier | Engine | Speed | Coverage |
|---|---|---|---|
| Tier 1 | Rust (memoxide) | Fast | pslist, psscan, cmdline, dlllist, malfind, netscan, cmdscan, search, readraw, rsds |
| Tier 2 | Python analyzers | Medium | Process anomalies, C2 detection, credentials, YARA, VT integration |
| Tier 3 | Volatility3 | Slower | Any vol3 plugin (filescan, handles, svcscan, driverscan, ...) |
Installation
Prerequisites
# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
# Ensure Python 3.10+
python3 --version
Install from PyPI
uv pip install mem-forensics-mcp
Install from source
git clone https://github.com/x746b/mem_forensics-mcp.git
cd mem_forensics-mcp
# Full install (recommended)
uv sync --extra full
# Minimal (Vol3 only, no YARA/VT)
uv sync --extra volatility3
Build Rust Engine (optional)
Prebuilt binaries ship for aarch64-linux and x86_64-linux in engines/memoxide/. The server auto-detects the host architecture. To build from source:
# Requires Rust toolchain (https://rustup.rs)
cd engines/memoxide-src
cargo build --release
# Binary lands at engines/memoxide-src/target/release/memoxide
# The server auto-detects it (prefers local build over prebuilt)
Configure Volatility3 (optional)
If Vol3 is installed at /opt/volatility3 it's auto-detected. Otherwise: export VOLATILITY3_PATH="/path/to/volatility3"
Verify
uv run python -m mem_forensics_mcp.server
# Should show: Rust engine: available, Volatility3: available
Adding to Claude CLI
claude mcp add mem-forensics-mcp \
--scope user \
-- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.server
With custom Volatility3 path:
claude mcp add mem-forensics-mcp \
--scope user \
-e VOLATILITY3_PATH=/opt/volatility3 \
-- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.server
Quick Start
# 1. Initialize
memory_analyze_image(image_path="/evidence/memory.raw")
# 2. Full triage
memory_full_triage(image_path="/evidence/memory.raw")
# 3. Drill down
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=1234)
Tool Reference
Core
| Tool | Tier | Description |
|---|---|---|
memory_analyze_image |
1->2 | Initialize image, auto-detect profile |
memory_run_plugin |
1->3 | Run any plugin (Rust or Vol3) |
memory_list_plugins |
- | List available plugins |
memory_list_sessions |
- | List active sessions |
memory_get_status |
- | Show engine status |
Analysis
| Tool | Tier | Description |
|---|---|---|
memory_full_triage |
1+2 | Complete automated investigation |
memory_hunt_process_anomalies |
2 | DKOM detection, parent-child validation |
memory_get_process_tree |
2 | Process tree with suspicious highlighting |
memory_find_injected_code |
1->2 | Code injection + YARA scanning |
memory_find_c2_connections |
1+2 | Network C2 detection |
memory_get_command_history |
1+2 | Command recovery + classification |
memory_extract_credentials |
2 | Hash/secret extraction via Vol3 |
Extraction
| Tool | Tier | Description |
|---|---|---|
memory_dump_process |
2 | Process info and loaded DLLs |
memory_dump_vad |
2 | Examine memory region details |
memory_list_dumpable_files |
3 | List cached files |
Threat Intelligence
| Tool | Description |
|---|---|
vt_lookup_hash |
VirusTotal hash lookup |
vt_lookup_ip |
VirusTotal IP reputation |
vt_lookup_domain |
VirusTotal domain reputation |
vt_lookup_file |
Hash file + VT lookup |
Example: Full Triage Output
Running memory_full_triage on a Windows 10 memory dump (Win10 19041, x64, VMware):
{
"threat_level": "critical",
"risk_score": 100,
"summary": "Processes: 115 found. Process Anomalies: 4 info-level. Network: 4 flagged of 79 connections. Commands: 56 memory fragments. Injected Code: 12 RWX regions. Correlations: 2 critical.",
"engine": "rust+python"
}
Key findings:
| Category | Detail |
|---|---|
| Suspicious process | mmc.exe launched from explorer.exe, loading a .msc file from browser downloads |
| Injected code | 4 RWX private memory regions in mmc.exe, 2 in EXCEL.EXE |
| Child process | dllhost.exe spawned by mmc.exe with executable RWX region |
| Network | svchost.exe connections to external IPs on ports 443/80 |
| Correlations | active_implant + active_c2_session flagged as critical |
| IOCs | Suspicious external IPs extracted automatically |
Drill-down with filtered filescan:
memory_run_plugin(image_path="memory.raw", plugin="filescan", filter="notepad")
# Returns: 2 of 7612 results matched (server-side grep before truncation)
Related Projects
- winforensics-mcp — Windows disk forensics (EVTX, Registry, MFT, Prefetch, YARA, PCAP)
- mac_forensics-mcp — macOS DFIR (Unified Logs, FSEvents, Spotlight, Plists)
MIT License | xtk | Built for the DFIR community. No Windows required >)
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file mem_forensics_mcp-1.2.1.tar.gz.
File metadata
- Download URL: mem_forensics_mcp-1.2.1.tar.gz
- Upload date:
- Size: 8.3 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
47dd722be6f30b882e1861382f0a432c9b638cb54d6c888d3fb766cc6e3db921
|
|
| MD5 |
1faa42b4ea570f9a9a7ba0020a053f0a
|
|
| BLAKE2b-256 |
680e843a44d9b3d8bd89dbfe4956e4b7f2897782f7f79ebfa62ee09512da760a
|
File details
Details for the file mem_forensics_mcp-1.2.1-py3-none-any.whl.
File metadata
- Download URL: mem_forensics_mcp-1.2.1-py3-none-any.whl
- Upload date:
- Size: 5.5 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.14
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6ed3aecddd1535d560d45f7bee968633da820cc6bcb40f2fb836c5b5d09f244b
|
|
| MD5 |
77d8d25450f1f77c94a24378ae90a444
|
|
| BLAKE2b-256 |
71d05465866043243071d2c55b15515bb945420047cb7e960f55b91c48686102
|
