mem-forensics-mcp
Provides threat intelligence capabilities by enabling lookups of file hashes, IP addresses, domains, and files against VirusTotal's database for reputation analysis.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@mem-forensics-mcprun full triage on /cases/memory.raw"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
mem-forensics-mcp
Unified Memory Forensics MCP Server - Multi-tier engine combining Rust speed with Vol3 coverage.
Architecture
Three-tier engine automatically routes each tool to the fastest backend:
LLM <-> [mem-forensics-mcp (Python)] <-> memoxide (Rust child, stdio MCP)
<-> Volatility3 (Python library)Tier | Engine | Speed | Coverage |
Tier 1 | Rust (memoxide) | Fast | pslist, psscan, cmdline, dlllist, malfind, netscan, cmdscan, search, readraw, rsds |
Tier 2 | Python analyzers | Medium | Process anomalies, C2 detection, credentials, YARA, VT integration |
Tier 3 | Volatility3 | Slower | Any vol3 plugin (filescan, handles, svcscan, driverscan, ...) |
Related MCP server: Protocol-SIFT-Async-Bridge
Installation
Prerequisites
# Install uv (fast Python package manager)
curl -LsSf https://astral.sh/uv/install.sh | sh
# Ensure Python 3.10+
python3 --versionInstall from PyPI
uv pip install mem-forensics-mcpInstall from source
git clone https://github.com/x746b/mem_forensics-mcp.git
cd mem_forensics-mcp
# Full install (recommended)
uv sync --extra full
# Minimal (Vol3 only, no YARA/VT)
uv sync --extra volatility3Build Rust Engine (optional)
Prebuilt binaries ship for aarch64-linux and x86_64-linux in engines/memoxide/. The server auto-detects the host architecture. To build from source:
# Requires Rust toolchain (https://rustup.rs)
cd engines/memoxide-src
cargo build --release
# Binary lands at engines/memoxide-src/target/release/memoxide
# The server auto-detects it (prefers local build over prebuilt)Configure Volatility3 (optional)
If Vol3 is installed at /opt/volatility3 it's auto-detected. Otherwise: export VOLATILITY3_PATH="/path/to/volatility3"
Verify
uv run python -m mem_forensics_mcp.server
# Should show: Rust engine: available, Volatility3: availableAdding to Claude CLI
claude mcp add mem-forensics-mcp \
--scope user \
-- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.serverWith custom Volatility3 path:
claude mcp add mem-forensics-mcp \
--scope user \
-e VOLATILITY3_PATH=/opt/volatility3 \
-- uv run --directory /opt/mem_forensics-mcp python -m mem_forensics_mcp.serverQuick Start
# 1. Initialize
memory_analyze_image(image_path="/evidence/memory.raw")
# 2. Full triage
memory_full_triage(image_path="/evidence/memory.raw")
# 3. Drill down
memory_run_plugin(image_path="/evidence/memory.raw", plugin="malfind", pid=1234)Tool Reference
Core
Tool | Tier | Description |
| 1->2 | Initialize image, auto-detect profile |
| 1->3 | Run any plugin (Rust or Vol3) |
| - | List available plugins |
| - | List active sessions |
| - | Show engine status |
Analysis
Tool | Tier | Description |
| 1+2 | Complete automated investigation |
| 2 | DKOM detection, parent-child validation |
| 2 | Process tree with suspicious highlighting |
| 1->2 | Code injection + YARA scanning |
| 1+2 | Network C2 detection |
| 1+2 | Command recovery + classification |
| 2 | Hash/secret extraction via Vol3 |
Extraction
Tool | Tier | Description |
| 2 | Process info and loaded DLLs |
| 2 | Examine memory region details |
| 3 | List cached files |
Threat Intelligence
Tool | Description |
| VirusTotal hash lookup |
| VirusTotal IP reputation |
| VirusTotal domain reputation |
| Hash file + VT lookup |
Example: Full Triage Output
Running memory_full_triage on a Windows 10 memory dump (Win10 19041, x64, VMware):
{
"threat_level": "critical",
"risk_score": 100,
"summary": "Processes: 115 found. Process Anomalies: 4 info-level. Network: 4 flagged of 79 connections. Commands: 56 memory fragments. Injected Code: 12 RWX regions. Correlations: 2 critical.",
"engine": "rust+python"
}Key findings:
Category | Detail |
Suspicious process |
|
Injected code | 4 RWX private memory regions in mmc.exe, 2 in EXCEL.EXE |
Child process |
|
Network | svchost.exe connections to external IPs on ports 443/80 |
Correlations |
|
IOCs | Suspicious external IPs extracted automatically |
Drill-down with filtered filescan:
memory_run_plugin(image_path="memory.raw", plugin="filescan", filter="notepad")
# Returns: 2 of 7612 results matched (server-side grep before truncation)Related Projects
winforensics-mcp — Windows disk forensics (EVTX, Registry, MFT, Prefetch, YARA, PCAP)
mac_forensics-mcp — macOS DFIR (Unified Logs, FSEvents, Spotlight, Plists)
MIT License | xtk | Built for the DFIR community. No Windows required >)
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/x746b/mem_forensics-mcp'
If you have feedback or need assistance with the MCP directory API, please join our Discord server