legionultramax/volatility3-elite-memory-forensics-playbook

# Volatility 3 内存取证实战手册      **Volatility 3 的实用、日常调查手册。** 专为现实世界的应急响应、恶意软件分析和内存取证专业人员构建。 提供了清晰的 **8 阶段工作流程** + 资深分析师实际使用的高端插件组合。 ## 主分类脚本（推荐第一步） 一键自动化运行完整的高端通用组合并整理所有输出。 → **[scripts/volatility-master-triage.py](scripts/volatility-master-triage.py)** **用法：** ``` python scripts/volatility-master-triage.py memdump.raw Elite Generic Plugin Combinations Battle-tested combinations used on almost every memory dump. → plugins/elite-generic-combo.md 8-Phase Investigation Workflow PhaseWorkflowPurpose1workflows/01-initial-triage.mdVerify dump, system info, and high-level triage2workflows/02-process-analysis.mdDeep process analysis and anomaly detection3workflows/03-injection-detection.mdFind process injection and hollowing4workflows/04-network-artifacts.mdC2, exfiltration, and network IOCs5workflows/05-registry-persistence.mdAutostart, services, and persistence mechanisms6workflows/06-credential-access.mdLSASS dumping, hashes, and credential theft7workflows/07-file-recovery.mdRecover deleted files and filesystem artifacts8workflows/08-malware-hunting.mdFinal hunting, YARA, dumping, and extraction Repository Contents workflows/ — Core 8-phase investigation guide plugins/ — Quick reference + elite generic combinations scripts/ — Master triage automation script yara/ — Starter YARA rules for memory scanning examples/ — Real investigation examples CONTRIBUTING.md — How to contribute CHANGELOG.md — Version history Quick Start Bashpip install volatility3 vol -f memdump.raw windows.info Made for working memory forensics investigators 🧠 Star this repo if it helps you during actual investigations. Contributions, new workflows, and YARA rules are highly welcome! ```

标签：AMSI绕过, C2检测, DAST, DNS信息、DNS暴力破解, DNS 解析, GhostArchive, HTTPS请求, IP 地址批量处理, JARM, LSASS, Python, SecList, Triage, Volatility 3, Windows取证, YARA规则, 入侵分析, 内存分析, 内存取证, 凭据窃取, 取证调查手册, 威胁检测, 库, 应急响应, 恶意软件分析, 持久化分析, 数字取证, 数字取证, 无后门, 网络安全, 自动化脚本, 自动化脚本, 进攻性安全, 进程注入检测, 逆向工具, 隐私保护