volatility_windows

Analyze Windows memory dumps using Volatility 3 plugins to extract forensic data like processes, network connections, registry entries, and malware indicators.

Instructions

Run a Volatility 3 Windows plugin against a memory dump. Returns plugin, success, output, and errors. Read-only analysis, Volatility 3 auto-detects OS. Requires vol3 (vol) on PATH.

Input Schema

TableJSON Schema

Name	Required	Description	Default
`dump_path`	Yes	Path to the Windows memory dump file
`plugin`	Yes	Volatility 3 Windows plugin to run

Implementation Reference

src/tools/memory.ts:100-148 (handler)

The 'volatility_windows' tool is registered and implemented within 'src/tools/memory.ts'. It uses the Volatility 3 'vol' binary to run plugins against a Windows memory dump and returns the results.

server.tool(
  "volatility_windows",
  "Run a Volatility 3 Windows plugin against a memory dump. Returns plugin, success, output, and errors. Read-only analysis, Volatility 3 auto-detects OS. Requires vol3 (vol) on PATH.",
  {
    dump_path: z.string().describe("Path to the Windows memory dump file"),
    plugin: z
      .enum([
        "windows.info",
        "windows.pslist",
        "windows.pstree",
        "windows.netscan",
        "windows.netstat",
        "windows.filescan",
        "windows.malfind",
        "windows.cmdline",
        "windows.dlllist",
        "windows.handles",
        "windows.registry.hivelist",
        "windows.registry.printkey",
        "windows.envars",
        "windows.svcscan",
      ])
      .describe("Volatility 3 Windows plugin to run"),
  },
  async ({ dump_path, plugin }) => {
    const volBin = findVolatility3();
    if (!volBin) {
      const result = { error: "Volatility 3 not found. Install it and ensure 'vol' is on PATH." };
      return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
    }

    const dump = validateDump(dump_path);

    const res = await runCmd(
      volBin,
      ["-f", dump, plugin],
      { timeout: 300 }
    );

    const result = {
      plugin,
      success: res.success,
      output: res.stdout.slice(0, 5000),
      errors: res.stderr ? res.stderr.slice(0, 1000) : "",
    };

    return { content: [{ type: "text", text: JSON.stringify(result, null, 2) }] };
  }
);

operant-mcp