Public

Volatilität-MCP-Server

Name: Volatilität-MCP-Server
Rating: 5 (100 reviews)
Author: bornpresident

Try Now

2025-03-31

Ein Model Context Protocol (MCP) -Server, der Volatilität 3 Speicher -Forensik -Framework in Claude integriert

3 years

Works with Finder

2

Github Watches

0

Github Forks

13

Github Stars

Volatility MCP Server

A Model Context Protocol (MCP) server that integrates Volatility 3 memory forensics framework with Claude and other MCP-compatible LLMs.

Why This Matters

In India, digital forensic investigators face a massive backlog of cases due to the country's large population and rising cybercrime rates. This tool helps address this challenge by:

Allowing investigators to analyze memory dumps using simple natural language instead of complex commands
Reducing the technical expertise needed to perform memory forensics
Accelerating the analysis process through automation
Helping clear case backlogs and deliver faster results to the judicial system

By making memory forensics more accessible, this tool can significantly reduce the burden on forensic experts and improve cybersecurity response across India.

Overview

This project bridges the powerful memory forensics capabilities of the Volatility 3 Framework with Large Language Models (LLMs) through the Model Context Protocol (MCP). It allows you to perform memory forensics analysis using natural language by exposing Volatility plugins as MCP tools that can be invoked directly by Claude or other MCP-compatible LLMs.

Features

Natural Language Memory Forensics: Ask Claude to analyze memory dumps using natural language
Process Analysis: Examine running processes, parent-child relationships, and hidden processes
Network Forensics: Identify network connections in memory dumps
Malware Detection: Find potential code injection and other malicious artifacts
DLL Analysis: Examine loaded DLLs and modules
File Objects: Scan for file objects in memory
Custom Plugins: Run any Volatility plugin with custom arguments
Memory Dump Discovery: Automatically find memory dumps in a directory

Requirements

Python 3.10 or higher
Volatility 3 Framework
Claude Desktop or other MCP-compatible client
MCP Python SDK (mcp package)

Installation

Clone this repository:

git clone https://github.com/yourusername/volatility-mcp-server.git

Install the required Python packages:
```
pip install mcp httpx
```
Configure the Volatility path in the script:
- Open volatility_mcp_server.py and update the VOLATILITY_DIR variable to point to your Volatility 3 installation path.
Configure Claude Desktop:
- Open your Claude Desktop configuration file located at:
  - Windows: %APPDATA%\Claude\claude_desktop_config.json
  - macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Add the server configuration:
```
{
  "mcpServers": {
    "volatility": {
      "command": "python",
      "args": [
        "/path/to/volatility_mcp_server.py"
      ],
      "env": {
        "PYTHONPATH": "/path/to/volatility3"
      }
    }
  }
}
```
- Replace /path/to/ with the actual path to your files.
Restart Claude Desktop to apply the changes.

Usage

After setup, you can simply ask Claude natural language questions about your memory dumps:

"List all processes in the memory dump at C:\path\to\dump.vmem"
"Show me the network connections in C:\path\to\dump.vmem"
"Run malfind to check for code injection in the memory dump"
"What DLLs are loaded in process ID 4328?"
"Check for hidden processes in C:\path\to\dump.vmem"

Available Tools

The server exposes the following Volatility plugins as MCP tools:

list_available_plugins - Shows all Volatility plugins you can use
get_image_info - Provides information about a memory dump file
run_pstree - Shows the process hierarchy
run_pslist - Lists processes from the process list
run_psscan - Scans for processes including ones that might be hidden
run_netscan - Shows network connections in the memory dump
run_malfind - Detects potential code injection
run_cmdline - Shows command line arguments for processes
run_dlllist - Lists loaded DLLs for processes
run_handles - Shows file handles and other system handles
run_filescan - Scans for file objects in memory
run_memmap - Shows the memory map for a specific process
run_custom_plugin - Run any Volatility plugin with custom arguments
list_memory_dumps - Find memory dumps in a directory

Memory Forensics Workflow

This MCP server enables a streamlined memory forensics workflow:

Initial Triage:
- "Show me the process tree in memory.vmem"
- "List all network connections in memory.vmem"
Suspicious Process Investigation:
- "What command line was used to start process 1234?"
- "Show me all the DLLs loaded by process 1234"
- "What file handles are open in process 1234?"
Malware Hunting:
- "Run malfind on memory.vmem to check for code injection"
- "Show me processes with unusual parent-child relationships"
- "Find hidden processes in memory.vmem"

Troubleshooting

If you encounter issues:

Path Problems:
- Make sure all paths are absolute and use double backslashes in Windows paths
- Check that the memory dump file exists and is readable
Permission Issues:
- Run Claude Desktop as Administrator
- Check that Python and the Volatility directory have proper permissions
Volatility Errors:
- Make sure Volatility 3 works correctly on its own
- Try running the same command directly in your command line
MCP Errors:
- Check Claude Desktop logs for MCP errors
- Make sure the MCP Python package is installed correctly

Extending

This server can be extended by:

Adding more Volatility plugins
Creating custom analysis workflows
Integrating with other forensic tools
Adding report generation capabilities

License

MIT License

Reviews

1 (1)

user_2PEuRtDR

2025-04-18

As an avid user of Volatility-MCP-Server, I am impressed by its robustness and reliability. The seamless integration and powerful functionality provided by bornpresident make it a must-have tool for anyone working in memory forensics. It has significantly streamlined my workflow and improved my analysis efficiency. Highly recommended!