Security Skill
Anti Reversing Techniques
Understand anti-reversing, obfuscation, and protection techniques encountered during software…
$15
Memory Forensics
Master memory forensics techniques including memory acquisition, process analysis, and…
A working playbook for acquiring and analyzing memory dumps to investigate incidents and analyze malware. It covers RAM capture across Windows, Linux, macOS, and virtual machines, then the full Volatility 3 plugin workflow for process, network, injection, and credential analysis.
$15 one-time
Add to a kit → Prices include 20% VAT. · Forged on real agency work · one-time, no lock-in
- Type Skill
- Category Security
- Delivery Email · instant
- License One-time
Inside the run · no black box
See the actual work before you buy it.
Evidence starts losing value the moment a RAM image is handled wrong. Chain of custody opens the investigation, process surveys run as cross-checked command chains, and the attack timeline gets rebuilt last.
- Acquires with chain of custody from minute one: a lightweight tool fit for the platform (WinPmem, LiME, a VM's .vmem file), SHA-256 hash recorded immediately, time and tool version logged, and the dump never written to again.
- Runs the Volatility 3 process survey as a chain, not a single command: pslist for the visible list, pstree for parent-child anomalies, then psscan cross-checked against pslist, because a diff between the two exposes DKOM-hidden processes.
- Maps network activity with netscan and feeds every suspicious IP back into the evidence: the IP is grepped in strings output, the matching process gets its DLLs and handles enumerated, and one IOC grows into a full attack chain.
- Hunts injection from the assume-breach posture: malfind for executable-writable memory regions, ldrmodules for unlinked DLLs, the suspicious process memory dumped and run through strings, FLOSS and targeted YARA rules.
- Checks persistence and credentials: Run key registry prints, service and scheduled task scans, and hash/LSA extraction where the case authorizes it.
- Rebuilds the timeline last: timeliner output sorted by creation time into the first-access, privilege-escalation, lateral-movement, exfiltration sequence, correlated against disk and network timelines, with every command logged for evidentiary integrity.
One power source. 6 lines out.
memory-forensics · core
core active · 6 lines
- ✓ investigating a security
Investigating a security incident from a RAM capture
- ✓ detecting hidden processes
Detecting hidden processes and rootkits that evade normal tools
- ✓ finding code injection and
Finding code injection and process-hollowing indicators in memory
- ✓ reconstructing an attack
Reconstructing an attack timeline from memory artifacts
- ✓ extracting strings, iocs
Extracting strings, IOCs, and credentials from a dump
- ✓ maintaining chain of cus…
Maintaining chain of custody for forensically sound analysis
Yours to keep.
Drag time forward. Watch what stays.
Forever
That's what owning means.
The rented stack
ai writing tool: subscription
expired · access lostanalytics suite: subscription
expired · access lostdesign platform: subscription
expired · access lost(nothing left)
Your forge
-
Move from raw dump to root cause with a structured, repeatable workflow
license: perpetual -
Surface threats that disk-only analysis misses by reading volatile evidence
license: perpetual -
Strengthen findings through cross-plugin validation instead of single-source guesses
license: perpetual -
Preserve evidence integrity to judicial standards with documented handling
license: perpetual
subscriptions expire · deeds don't
Everything in the box.
Pick a piece up. Watch it work.
Acquisition commands for Windows, Linux, macOS, and VM memory
6 parts · one working system · ships instantly by email
This wasn't forged for everyone.
- Not for you if you'd rather rent a tool than own one.
- Not for you if you want someone else to run your stack.
- Not for you if you're happy guessing.
Incident responders, malware analysts, and digital forensics investigators working from RAM captures.
then this was forged for you.Works with
Universal by design: these run in any AI. Delivered in the open Agent Skills + MCP format (native in Claude); ChatGPT, Gemini, Cursor and Copilot adapt the same files their own way.
- Claude Native format
- ChatGPT Adapts via open standards
- Gemini Adapts via open standards
- Cursor Adapts via open standards
- Copilot Adapts via open standards
Catch what's on your mind.
the air is clear. nothing between you and the forge.
catch a spark: the forge will answer
-
Does this only cover Windows dumps, or can I work with Linux, macOS, and VM memory too?
Acquisition commands cover Windows, Linux, macOS, and virtual machine memory, and the Volatility 3 plugin workflow applies to all of them. Once you have a dump, the process, network, injection, and credential analysis steps are the same.
-
How does it find processes that a rootkit hides from normal tools?
It reads volatile evidence straight from the dump and validates findings across multiple Volatility plugins instead of trusting one source. Rootkit-comparison techniques flag the gap between what the OS reports and what memory actually contains.
-
Will it capture the memory dump for me?
No. It gives you the acquisition commands and chain-of-custody discipline, but someone still has to run the capture on the target machine. The analysis workflow starts from a dump you already have.
-
How is it delivered?
By email right after purchase: ready to run, downloaded instantly, no setup wait.
-
One-time or subscription?
A one-time purchase; no subscription or hidden fees. VAT (20%) is included.
-
Can I get a refund?
As a digital product, it can’t be refunded once downloaded. That’s why we show exactly what’s inside and who it’s for, right here.