Volatility
Volatility Volatility is the gold-standard framework for dissecting memory dumps, extracting processes, network connections, and hidden malware artifacts from Windows, Linux, or Mac forensics images with plugin-powered precision. Fire it up via Python scripts to timeline events or hunt injected code, making it a staple for solo investigators piecing together incident timelines. Open-source and plugin-rich, it's the versatile surgeon for carving secrets from RAM without the bloat.
Explore →Rekall
Rekall Rekall is the memory forensics engine that evolved from Volatility, offering advanced profiling for live systems and dumps with support for custom address spaces and timeline reconstruction. Dive into hibernation files or crash dumps to trace malware behaviors, scripting queries for automated hunts in your DFIR toolkit. Open-source and extensible, it's the thoughtful upgrade for analysts craving deeper, data-driven insights into volatile evidence.
Explore →Autopsy
Autopsy Autopsy is the GUI powerhouse built on Sleuth Kit, streamlining memory analysis with modules for carving URLs, registry hives, and process trees from dumps in a user-friendly timeline view. Load your image, run ingest tasks, and export reports for court-ready narratives—all from a single interface that hides the complexity. Open-source and modular, it's the accessible workbench for individual examiners turning raw RAM into readable stories.
Explore →Bulk Extractor
Bulk Extractor Bulk Extractor is the high-speed carver that rips emails, credit cards, and URLs from memory dumps or disk images without parsing files, focusing on raw byte streams for exhaustive evidence hunts. Run it on a RAM snapshot to pull hidden artifacts in parallel, outputting stats and files for quick triage. Open-source and performant, it's the brute-force vacuum for forensics pros sifting needles from haystacks.
Explore →Volatility Workbench
Volatility Workbench Volatility Workbench is the graphical frontend that tames Volatility's CLI power, letting you load dumps, run plugins, and visualize process trees or malware hooks with point-and-click ease. Ideal for beginners, it scripts common workflows and exports timelines for reports, bridging the gap between command-line grit and visual clarity. Open-source and intuitive, it's the friendly dashboard for solo analysts demystifying memory mazes.
Explore →Memoryze
Memoryze Memoryze is the live response specialist from Mandiant that dumps processes, hooks, and code injections in real-time without touching disk, capturing volatile data for post-incident deep dives. Execute via batch files on a running system to extract hidden modules or timeline DLL loads, preserving chain-of-custody with hashes. Open-source and targeted, it's the surgical strike for responders grabbing intel before shutdown.
Explore →Velociraptor
Velociraptor Velociraptor is the DFIR velociraptor that hunts artifacts across endpoints, including memory scans for processes and timelines, with VQL queries for custom hunts on live or imaged systems. Deploy artifacts via GUI or CLI to collect dumps, then analyze in its notebook for correlated events. Open-source and query-flexible, it's the agile hunter for individuals tracking threats across fleets.
Explore →The Sleuth Kit
The Sleuth Kit The Sleuth Kit is the foundational toolkit with memory modules for carving files and timelines from dumps, pairing with Autopsy for a complete forensics suite on disk or RAM evidence. Use fls or mmls on images to map structures, scripting chains for automated extractions. Open-source and robust, it's the bedrock builder for examiners constructing cases from fragmented memory.
Explore →Rekall Memory Analysis
Rekall Memory Analysis Rekall Memory Analysis extends Rekall's core with specialized plugins for malware detection and event reconstruction, parsing dumps for injected threads or network sockets in layered views. Query via Python REPL for ad-hoc investigations, exporting graphs for presentations. Open-source and analytical, it's the introspective lens for advanced users unraveling sophisticated RAM-based attacks.
Explore →LiME