Skip to main content
Glama
x746b

mem-forensics-mcp

by x746b

mem-forensics-mcp

Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage.


Architecture

Three-tier engine automatically routes each tool to the fastest backend:

LLM <-> [mem-forensics-mcp (Python)] <-> memoxide (Rust child, stdio MCP)
                                     <-> Volatility3 (Python library)

Tier

Engine

Speed

Coverage

Tier 1

Rust (memoxide)

Fast

pslist, psscan, cmdline, dlllist, malfind, netscan, cmdscan, search, readraw, rsds

Tier 2

Python analyzers

Medium

Process anomalies, C2 detection, credentials, YARA, VT integration

Tier 3

Volatility3

Slower

Any vol3 plugin (filescan, handles, svcscan, driverscan, ...)


Related MCP server: Protocol-SIFT-Async-Bridge

Installation

Prerequisites

# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh

# Ensure Python 3.10+
python3 --version

Install from PyPI

uv pip install mem-forensics-mcp

Install from source

git clone https://github.com/x746b/mem_forensics-mcp.git
cd mem_forensics-mcp

# Full install (recommended)
uv sync --extra full

# Minimal (Vol3 only, no YARA/VT)
uv sync --extra volatility3

Build Rust Engine (optional)

Prebuilt binaries ship for aarch64-linux and x86_64-linux in engines/memoxide/. The server auto-detects the host architecture. To build from source:

# Requires Rust toolchain (https://rustup.rs)
cd engines/memoxide-src
cargo build --release

# Binary lands at engines/memoxide-src/target/release/memoxide
# The server auto-detects it (prefers local build over prebuilt)

Configure Volatility3 (optional)

If Vol3 is installed at /opt/volatility3 it's auto-detected. Otherwise: export VOLATILITY3_PATH="/path/to/volatility3"

Verify

uv run python -m mem_forensics_mcp.server
# Should show: Rust engine: available, Volatility3: available

Adding to Claude CLI

claude mcp add mem-forensics-mcp \
  --scope user \
  -- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.server

With custom Volatility3 path:

claude mcp add mem-forensics-mcp \
  --scope user \
  -e VOLATILITY3_PATH=/opt/volatility3 \
  -- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.server

Quick Start

# 1. Initialize
memory_analyze_image(image_path="/evidence/memory.raw")

# 2. Full triage
memory_full_triage(image_path="/evidence/memory.raw")

# 3. Drill down
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=1234)

Tool Reference

Core

Tool

Tier

Description

memory_analyze_image

1->2

Initialize image, auto-detect profile

memory_run_plugin

1->3

Run any plugin (Rust or Vol3)

memory_list_plugins

-

List available plugins

memory_list_sessions

-

List active sessions

memory_get_status

-

Show engine status

Analysis

Tool

Tier

Description

memory_full_triage

1+2

Complete automated investigation

memory_hunt_process_anomalies

2

DKOM detection, parent-child validation

memory_get_process_tree

2

Process tree with suspicious highlighting

memory_find_injected_code

1->2

Code injection + YARA scanning

memory_find_c2_connections

1+2

Network C2 detection

memory_get_command_history

1+2

Command recovery + classification

memory_extract_credentials

2

Hash/secret extraction via Vol3

Extraction

Tool

Tier

Description

memory_dump_process

2

Process info and loaded DLLs

memory_dump_vad

2

Examine memory region details

memory_list_dumpable_files

3

List cached files

Threat Intelligence

Tool

Description

vt_lookup_hash

VirusTotal hash lookup

vt_lookup_ip

VirusTotal IP reputation

vt_lookup_domain

VirusTotal domain reputation

vt_lookup_file

Hash file + VT lookup


Example: Full Triage Output

Running memory_full_triage on a Windows 10 memory dump (Win10 19041, x64, VMware):

{
  "threat_level": "critical",
  "risk_score": 100,
  "summary": "Processes: 115 found. Process Anomalies: 4 info-level. Network: 4 flagged of 79 connections. Commands: 56 memory fragments. Injected Code: 12 RWX regions. Correlations: 2 critical.",
  "engine": "rust+python"
}

Key findings:

Category

Detail

Suspicious process

mmc.exe launched from explorer.exe, loading a .msc file from browser downloads

Injected code

4 RWX private memory regions in mmc.exe, 2 in EXCEL.EXE

Child process

dllhost.exe spawned by mmc.exe with executable RWX region

Network

svchost.exe connections to external IPs on ports 443/80

Correlations

active_implant + active_c2_session flagged as critical

IOCs

Suspicious external IPs extracted automatically

Drill-down with filtered filescan:

memory_run_plugin(image_path="memory.raw", plugin="filescan", filter="notepad")
# Returns: 2 of 7612 results matched (server-side grep before truncation)

  • winforensics-mcp — Windows disk forensics (EVTX, Registry, MFT, Prefetch, YARA, PCAP)

  • mac_forensics-mcp — macOS DFIR (Unified Logs, FSEvents, Spotlight, Plists)


MIT License | xtk | Built for the DFIR community. No Windows required >)

A
license - permissive license
-
quality - not tested
B
maintenance

Maintenance

Maintainers
Response time
5wRelease cycle
4Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/x746b/mem_forensics-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server