Volatility
A Model Context Protocol (MCP) server that integrates Volatility 3 memory forensics framework with Claude and other MCP-compatible LLMs.
Why This Matters
In India, digital forensic investigators face a massive backlog of cases due to the country's large population and rising cybercrime rates. This tool helps address this challenge by:
- Allowing investigators to analyze memory dumps using simple natural language instead of complex commands
- Reducing the technical expertise needed to perform memory forensics
- Accelerating the analysis process through automation
- Helping clear case backlogs and deliver faster results to the judicial system
By making memory forensics more accessible, this tool can significantly reduce the burden on forensic experts and improve cybersecurity response across India.
Overview
This project bridges the powerful memory forensics capabilities of the Volatility 3 Framework with Large Language Models (LLMs) through the Model Context Protocol (MCP). It allows you to perform memory forensics analysis using natural language by exposing Volatility plugins as MCP tools that can be invoked directly by Claude or other MCP-compatible LLMs.
Features
- Natural Language Memory Forensics: Ask Claude to analyze memory dumps using natural language
- Process Analysis: Examine running processes, parent-child relationships, and hidden processes
- Network Forensics: Identify network connections in memory dumps
- Malware Detection: Find potential code injection and other malicious artifacts
- DLL Analysis: Examine loaded DLLs and modules
- File Objects: Scan for file objects in memory
- Custom Plugins: Run any Volatility plugin with custom arguments
- Memory Dump Discovery: Automatically find memory dumps in a directory
Requirements
- Python 3.10 or higher
- Volatility 3 Framework
- Claude Desktop or other MCP-compatible client
- MCP Python SDK (
mcp
package)
Installation
-
Clone this repository:
git clone https://github.com/yourusername/volatility-mcp-server.git
-
Install the required Python packages:
pip install mcp httpx
-
Configure the Volatility path in the script:
- Open
volatility_mcp_server.py
and update theVOLATILITY_DIR
variable to point to your Volatility 3 installation path.
- Open
-
Configure Claude Desktop:
- Open your Claude Desktop configuration file located at:
- Windows:
%APPDATA%\Claude\claude_desktop_config.json
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
- Windows:
- Add the server configuration:
{ "mcpServers": { "volatility": { "command": "python", "args": [ "/path/to/volatility_mcp_server.py" ], "env": { "PYTHONPATH": "/path/to/volatility3" } } } }
- Replace
/path/to/
with the actual path to your files.
- Open your Claude Desktop configuration file located at:
-
Restart Claude Desktop to apply the changes.
Usage
After setup, you can simply ask Claude natural language questions about your memory dumps:
- "List all processes in the memory dump at C:\path\to\dump.vmem"
- "Show me the network connections in C:\path\to\dump.vmem"
- "Run malfind to check for code injection in the memory dump"
- "What DLLs are loaded in process ID 4328?"
- "Check for hidden processes in C:\path\to\dump.vmem"
Available Tools
The server exposes the following Volatility plugins as MCP tools:
list_available_plugins
- Shows all Volatility plugins you can useget_image_info
- Provides information about a memory dump filerun_pstree
- Shows the process hierarchyrun_pslist
- Lists processes from the process listrun_psscan
- Scans for processes including ones that might be hiddenrun_netscan
- Shows network connections in the memory dumprun_malfind
- Detects potential code injectionrun_cmdline
- Shows command line arguments for processesrun_dlllist
- Lists loaded DLLs for processesrun_handles
- Shows file handles and other system handlesrun_filescan
- Scans for file objects in memoryrun_memmap
- Shows the memory map for a specific processrun_custom_plugin
- Run any Volatility plugin with custom argumentslist_memory_dumps
- Find memory dumps in a directory
Memory Forensics Workflow
This MCP server enables a streamlined memory forensics workflow:
-
Initial Triage:
- "Show me the process tree in memory.vmem"
- "List all network connections in memory.vmem"
-
Suspicious Process Investigation:
- "What command line was used to start process 1234?"
- "Show me all the DLLs loaded by process 1234"
- "What file handles are open in process 1234?"
-
Malware Hunting:
- "Run malfind on memory.vmem to check for code injection"
- "Show me processes with unusual parent-child relationships"
- "Find hidden processes in memory.vmem"
Troubleshooting
If you encounter issues:
-
Path Problems:
- Make sure all paths are absolute and use double backslashes in Windows paths
- Check that the memory dump file exists and is readable
-
Permission Issues:
- Run Claude Desktop as Administrator
- Check that Python and the Volatility directory have proper permissions
-
Volatility Errors:
- Make sure Volatility 3 works correctly on its own
- Try running the same command directly in your command line
-
MCP Errors:
- Check Claude Desktop logs for MCP errors
- Make sure the MCP Python package is installed correctly
Extending
This server can be extended by:
- Adding more Volatility plugins
- Creating custom analysis workflows
- Integrating with other forensic tools
- Adding report generation capabilities